The recent GnuTLS certificate verification bug made it possible to craft an arbitrary certificate in a way that GnuTLS would validate correctly against a given CA root certificate store.
whenever a big SSL or TLS security incident happens, we scan all the
certificates we have seen so far to see if they could have been used for an
attack. For this bug, we dived into the
GnuTLS source, examined the conditions that trigger the bug, and figured how an attacker would exploit the bug. Based on our analysis, we believe that there exist multiple methods to trigger the bug. In the following, we describe one that worked.
signature, and the signature algorithm. If any of these lookups fail, the
verification still succeeds due to missing adjustments of the variable result, which denotes the function return value. On success, the function should return a non-zero value, but the code lacked checks to set the value to zero.
exploit the bug. According to the function _gnutls_x509_get_signature, the signature verification fails if the number of bits in the certificate
signature is not divisible by 8. Certificate signatures have an ASN.1 bit string encoding, which theoretically may exhibit an arbitrary number of zeros and ones, and may not necessarily be divisible by 8. But the GnuTLS function assumes a byte-aligned signature, hence the check. In the ASN.1 DER encoding, used in X509 certificates, a bit string begins with a single byte which denotes the number of missing bits in the last byte. For all normal certificates, this value is always zero, and the function continues. But if we change this byte to a non-zero value, the function fails the divisibility check and returns with wrong error code, causing the certificate verification to succeed.
algorithm verification fail. However, none of them seemed to be as easy to
exploit as the signature algorithm.
the certificate for bro.org, exchanged the private key, and tried to validate it
with GnuTLS. Indeed, the verification succeeds with gnutls-certtool and we could establish a secure connection to the server using gnutls-cli.
You also can test it by downloading the following certificate chain and verifying it using
the certificates contained in the ICSI SSL Notary to see if there is any
certificate that specifies a non 8-bit-divisible signature. Due to the size of
our data set – at the moment it consists or more than 1.8 million certificates extracted from more than 50 billion connections – the scan is still running; so far there have been no hits.