[Owasp-leaders] Cert Stealer Released

Abbas Naderi abbas.naderi at owasp.org
Thu Dec 26 19:35:47 UTC 2013


I didn’t quite understand. What does the encoding vulnerability expose? SSL certs are public-keys plus a bunch of other data. There is no private key inside to extract and resign another certificate with.
-A
On Dec 26, 2013, at 2:32 PM, Gregory Disney <gregory.disney at owasp.org> wrote:

> I think a fair description would be it simplifies spoofing certs. This started out as a proof of concept a year ago when I realized there was a vulnerability in PEM encoding of SSL certs, So I chain-loaded a java key store which was converted to key, then resigned the cert with the chain-loaded key, thus keeping the context of the original certificate with a hijacked authority. 
> On 12/26/13, 11:21 AM, Abbas Naderi wrote:
>> Well a description of what this does would be a good idea to start with…
>> -A
>> On Dec 26, 2013, at 2:18 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>> 
>>> I'm working on the documentation it works via  turning a a keytool pk12 to openssl key, then embedding the key on the root ca and resigning with the embedded key.
>>> On 12/26/13, 10:47 AM, Dinis Cruz wrote:
>>>> Hi Gregory, where can I find the details of how this works?
>>>> 
>>>> Thx
>>>> 
>>>> Dinis
>>>> 
>>>> On 26 Dec 2013 07:44, "Gregory Disney" <gregory.disney at owasp.org> wrote:
>>>> Screen shot of successfully spoofed certs:
>>>> http://image-store.slidesharecdn.com/f6ff3390-6dfc-11e3-8ed6-22000a9193db-original.png
>>>> Each of these cert's have been tested and capable of creating SSL sessions.
>>>> Cert Stealer:
>>>> https://gist.github.com/gdisneyleugers/8129304
>>>> -Greg
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/c95db10b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/c95db10b/attachment.bin>


More information about the OWASP-Leaders mailing list