RE: Can you impersonate a client side cert??

From: Ed Moyle (emoyleat_private)
Date: Tue Jan 29 2002 - 06:22:55 PST

Next message: Viraf Hathiram: "GPRS vulnerabilities"

Previous message: christophe gueguen: "question about fuxay scanner"
Maybe in reply to: Darren Craig: "Can you impersonate a client side cert??"
Next in thread: Cushing, David: "RE: Can you impersonate a client side cert??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday, January 28, 2002 17:32 pmawsonat_private wrote:

> Phrack #57 - Hang on, Snoopy (by stealth)
>   http://www.phrack.org/show.php?p=57&a=13
> Here in lies the answer to your question.

It should be noted that this article *only applies* to CAs that are unknown to the browser and is focused primarily on server certs used for SSL.  With respect to client-side certs, the web server will only trust certs issued by a known, valid CA.  In most applications, servers only trust certs issued by a particular CA (perhaps a local CA) and not the universe of possible commercial CA's that are available by default in the web server (since commercial CAs typically have pretty week auth criteria - Verisign, for example lets you get one for "test purposes" using just your email address.)  So, using a spurious CA that you control is (usually) out of the question.  

If you can get a *trusted* CA to issue you a cert with a CN that you can control (this is not always easy to do,) the only way you can impersonate is if the application uses custom-written software that checks only the CN and not any other information on the cert.  This is not a common practice for exactly the reason that is being discussed.  Many times the SN is used, which is unique per CA.  

Some resources regarding mapping a cert to a user in particular environments:

Microsoft has an article on how this is set up w/ IIS.  Check out: http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

IBM has a similar article for websphere:
http://www-4.ibm.com/software/webservers/appserv/doc/v35/ae/infocenter/was/050505.html

Note that in both cases, doing a mapping based on CN where *more than one CA is trusted* and/or *uniqueness of CN is not enforced* is incredibly dangerous and hence is typicaly avoided...  At the very least, DN should be used.

Just my $.02...
-E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Viraf Hathiram: "GPRS vulnerabilities"
Previous message: christophe gueguen: "question about fuxay scanner"
Maybe in reply to: Darren Craig: "Can you impersonate a client side cert??"
Next in thread: Cushing, David: "RE: Can you impersonate a client side cert??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 10:25:30 PST