SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) Web Server Fails to Properly Validate Client-side Certificates, Allowing Remote Users to Impersonate Other Users or Certificate Issuers
SecurityTracker Alert ID:  1005083
SecurityTracker URL:  http://securitytracker.com/id/1005083
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 19 2002
Impact:   Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0 SP2 and prior versions
Description:   A vulnerability was reported in Microsoft's Internet Information Server (IIS) web server. A remote user may be able to present an invalid certificate that will be interpreted by the server as a valid certificate, allowing them to impersonate other authorized users.

Sentor Torparfar issued an advisory warning that the web server fails to perform verification of basic constraints when validating a client-side certificate chain.

Because client certificate authentication generally relies on information contained in the subfields of the subject (client) and issuer, a remote user can create false credentials that can be used to impersonate any valid user.

The following demonstration exploit steps have been provided:

1 - Obtain a valid certificate which is ultimately issued by a root authority trusted by the target server.

2 - Create a certificate request containing the fields necessary to impersonate the issuer .

3 - Sign this request using the private key corresponding to your valid certificate.

4 - Create a certificate request containing the fields necessary to impersonate the subject.

5 - Sign this request using the private key that corresponds to the certificate you created in step 3.

Impact:   A remote user can impersonate a valid authorized user.
Solution:   The vendor has released a fix in Windows 2000 SP3, available at:

http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp

Vendor URL:  www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Insufficient Verification of Client Certificates in IIS 5.0 pre sp3


----------------------------------------------------------------------------
-------

  Sentor Torparfar Advisory #001

 Title: Insufficient Verification of Client Certificates in IIS 5.0 pre sp3
 Date: August 16, 2002
 Author: Johan Persson <johan.person@sentor.se>

----------------------------------------------------------------------------
-------

Summary:

 When an SSL connection is set up between IIS 5.0 pre sp3 and a client
 the server verifies that the client certificate is ultimately
 issued by a trusted root authority (as defined by CTL) and
 that none of the certificates in the chain have expired.

 There are serveral checks that are not being done.
 In particular there is no verification of basic constraints.

 Since the all subsequent validity checks (client certificate mapping,
 ASP methods etc) only deal with the subfields (O, OU, CN, etc) of
 the subject and/or issuer it is trivial to spoof your identity.


Details:

 Vulnerable systems:
  Windows 2000, IIS 5.0 pre sp3

 Not Vulnerable:
  Windows 2000, IIS 5.0 sp3

  I have no idea if there are similar vulnerabilities in
  any of the other versions of IIS, as I haven't checked.

 Description:
  The validity of a client certificate chain is not properly
  checked on the server side in a SSL connection involving an
  IIS 5.0 pre sp3. In particular  there is no verification of basic
  constraints. Since client certificate mapping as well as other
  methods of authentication using certificates relies on the
  information contained in the subfields of the subject (client)
  and issuer it is possible to create false credentials that
  can be used to impersonate any valid user.

Impact:
 In a system that relies on client side certificates for authentication
 it is possible to impersonate any user whose public details (certificate
 subfields) are known


Exploit:
 Get a (any) valid certificate which is ultimately issued by a root
 authority trusted by the target server.

 Create a certificate request containing whatever fields you need to
 impersonate the issuer you want to spoof.

 Sign this request using the private key corresponding to your valid
 certificate.

 Create a certificate request containing whatever fields you need to
 impersonate the subject you want to spoof

 Sign this request using the private key that corresponds to the certificate
 you created in step 3

 I will not release detailed exploit information. Openssl and some
 experimenting should suffice.


Vendor Status:
 Microsoft contacted June 24, 2002
 Microsoft provided me with a hotfix July 18, 2002
 The fix is included in Service Pack 3

Solution:
 Get and install Service Pack 3 from Microsoft



   0nd/Ag3nt0nd/0rm/Torparfar
----------------------------------------------------------------------------
-----------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC