https://huntr.dev/users/alromh87 has fixed the Man-in-the-Middle vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
em-imap is a gem that allows you to connect to an IMAP4rev1 server in a non-blocking fashion.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The hostname in a TLS server certificate is not verified. An attacker can acquire the identity of a trusted server and implement malicious data.
SSL validation was not implemented making em-imap vulnerable to MiM attacks, fixed adding validations.
💻 Technical Description *
ssl_verify_peer param is eneabled when calling connect from EventMachine::Connection, this will call ssl_verify_peer and ssl_handshake_completed of the connection module for the calling programm to implement validation logic.
EM::run do
client = EM::IMAP.new('test.imap.gmail.com', 993, true)
client.connect.errback do |error|
puts "Connecting failed: #{error}"
end.callback do |hello_response|
puts "Connecting succeeded!"
puts hello_response
end.bothback do
EM::stop
end
end
5. Run the test client
`ruby clientPoc.rb`
6. Client will connect ignoring the self signed certificate
### 🔥 Proof of Fix (PoF) *
After fix Invalid certificate is detected and connection terminated
Valid certificate for wrong server will also be detected and connection aborted
### 👍 User Acceptance Testing (UAT)
After fix functionality is unafected
ConradIrwin
commented
4 years ago
https://huntr.dev/users/alromh87 has fixed the Man-in-the-Middle vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/em-imap/pull/1 GitHub Issue | https://github.com/ConradIrwin/em-imap/issues/25 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/rubygems/em-imap/1/README.md
User Comments:
📊 Metadata *
em-imap is a gem that allows you to connect to an IMAP4rev1 server in a non-blocking fashion.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The hostname in a TLS server certificate is not verified. An attacker can acquire the identity of a trusted server and implement malicious data.
Bounty URL: https://www.huntr.dev/bounties/1-rubygems-em-imap/
⚙️ Description *
SSL validation was not implemented making em-imap vulnerable to MiM attacks, fixed adding validations.
💻 Technical Description *
ssl_verify_peer param is eneabled when calling connect from EventMachine::Connection, this will call ssl_verify_peer and ssl_handshake_completed of the connection module for the calling programm to implement validation logic.
Validation of Server certificate was implemented using openssl based on code from: https://github.com/lostisland/faraday/commit/63cf47c95b573539f047c729bd9ad67560bc83ff
🐛 Proof of Concept (PoC) *
Add a fake DNS entry to /etc/hosts.
echo "127.0.0.1 test.imap.gmail.com" | sudo tee -a /etc/hostsCreate a certificate.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodesListen on port 443 with TLS enabled.
openssl s_server -key key.pem -cert cert.pem -accept 443Create sample client:
EM::run do client = EM::IMAP.new('test.imap.gmail.com', 993, true) client.connect.errback do |error| puts "Connecting failed: #{error}" end.callback do |hello_response| puts "Connecting succeeded!" puts hello_response end.bothback do EM::stop end end