Dear List,
I updated the whitepaper with a lot of new information, some
leveraging the vulnerability in other ways that certainly increase
the effectiveness and impact of this vulnerability.
A brief warning to those that think they are safe because they
don't accept client-side renegotiations (server + openssl). I
came across major websites where the SSL loadbalancer in front of the HTTPS
servers were vulnerable. Although the servers were patched it still was
possible to perform the attacks (The loadbalancer merged both
sessions and handed them as one to the webserver)
Updates :
--------
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HTTPS : Downgrading HTTPS to HTTP and performing an active mitm
(Discovered by Frank Heidt but details witheld,
rediscovered by Thierry Zoller for this paper)
With this new information G-SEC encourages Vendors and customers
to reevaluate the impact of this vulnerability on their products.
Brief explanations :
^^^^^^^^^^^^^^^^^^^^
HTTPS : Injecting arbritary _responses_ into the stream
-------------------------------------------------------
The attacker injects a TRACE command, by doing so the attacker can
indirectly control the content that is send from the server to the
victim over HTTPS
Downgrading HTTPS to HTTP and performing an active mitm
-------------------------------------------------------
This attack leverages the known SSLStrip attack to also work on
establised SSL connections. SSLstrip had the limitation that it
required a user to access over HTTP in order to rewrite the html code
to perform active mitm. This attack over the TLS renegotiation
vulnerability now allows (if certain conditions are met) to downgrade
EXISTING SSL connections to perform an SSLstrip attack.
Proof of concept files
^^^^^^^^^^^^^^^^^^^^^^
G-SEC provides 2 proof of concept files :
- ssl-trace.c : using TRACE to inject (partialy) arbritary content
into the encrypted stream
- ssl-302.c : Injecting a GET command to a 302 page redirecting the
client to HTTP
Whitepaper : http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html
POC files : http://www.g-sec.lu/tls-ssl-proof-of-concept.html
-------
This paper explains the vulnerability for a broader audience and
summarizes the information that is currently available. The document
is prone to updates and is believed to be accurate by the time of
writing.
Post:
http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html
Direct Download
http://clicky.me/tlsvuln
Disclaimer
Information is believed to be accurate by the time of writing.
As this vulnerability has complex implications this document
is prone to revisions in the future.
Thierry ZOLLER - G-SEC
http://www.g-sec.lu
Principal Security Consultant
