lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201601252008.u0PK8o8M004598@sf01web1.securityfocus.com>
Date: Mon, 25 Jan 2016 20:08:50 GMT
From: cxsecurity@...tonmail.com
To: bugtraq@...urityfocus.com
Subject: Magento 1.9.x Multiple Man-In The Middle

Magento 1.9.x Multiple Man-In The Middle 
https://cxsecurity.com/issue/WLB-2016010129

--- Description ---
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

https://www.owasp.org/index.php/Man-in-the-middle_attack


--- Result of static code analysis ---

Let's follow the curl's settings for CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST in Magento 1.9.

CURLOPT_SSL_VERIFYPEER option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point.

CURLOPT_SSL_VERIFYHOST option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution!

DHL App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------

In this file, we can see

----
protected function _doRequest()
{
$r = $this->_rawRequest;

$xml = new SimpleXMLElement('<?xml version = "1.0" encoding = "UTF-8"?><eCommerce/>');
$xml->addAttribute('action', 'Request');
$xml->addAttribute('version', '1.1');

$requestor = $xml->addChild('Requestor');
$requestor->addChild('ID', $r->getId());
$requestor->addChild('Password', $r->getPassword());
----

where ID and Password are sending in insecure connection. Next.

Fedex App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------

The same problem. Vulnerable.

UPS App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
---------------------------------

Missing CURLOPT_SSL_VERIFYHOST. Vulnerable.


Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php: curl_setopt($curlHandler, CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php: curl_setopt($curlHandler, CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------

CURLOPT_SSL_VERIFYPEER == 0. Vulnerable


Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php: $this->curlOption(CURLOPT_SSL_VERIFYPEER, false);
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php: $this->curlOption(CURLOPT_SSL_VERIFYHOST, 2);
---------------------------------

CURLOPT_SSL_VERIFYPEER == false. Vulnerable

3D Secure CentinelClient
---------------------------------
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
---------------------------------

CURLOPT_SSL_VERIFYPEER == false. Vulnerable


PEAR SOAP
--------------------------------
./magento-mirror-1.9.1.1/lib/PEAR/SOAP/Transport/HTTP.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------

Vulnerable


Errors caught by cifrex.org. Sorry for the late publication but Magento Security Team did not responded to my emails :(

In ChangeLog for version 2.0.0.0-dev60:
* Fixed a security issue when CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST where used with improper values sometimes

and for 2.0.0.0-dev35

* Fixed security issue - set `CURLOPT_SSL_VERIFYPEER` to `true` by default in cUrl calls

but no detailed information available


--- Credit ---
Maksymilian Arciemowicz from CXSECURITY
https://cxsecurity.com
http://cifrex.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ