search

phpseclib / phpseclib

PHP Secure Communications Library
http://phpseclib.com/
MIT License
5.37k stars 890 forks source link

Some characters can result in name confusion in the X.509 hostname verification process #1943

Open x509-name-testing opened 1 year ago

x509-name-testing commented 1 year ago

Hi there,

I am writing to report a bug in the X.509 hostname verification process, which might result in name confusion attacks.

My testing environment is php7/php8. Here are some example codes.

<?php
require 'vendor/autoload.php';
use phpseclib3\File\X509;

$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJhKzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAAcwSIxKQegRqCs7adDb3VbqP1Ld0dA6
FydwendbN1P4NaqqdM89NhpOVZ5g60eM4sc08m5oZIMWqjwp3Gyf2pqM2FMQ02zi
1lMRb+t9rtjtZXCdcTjuwySYXw7M7NM0Lxhv7yN9+Vben1RTBWFghk8y4t6sai5L
68hFu+fkQzKIpHE/9cdBS+rtqyCrNit3kvqVhVpGECTS2flTBHnCe7mINojSTOsB
JYhGgW6KsKViE0hzQB8dSAcNcfwQPSKzOd02crXdJ7uYvZZK9prN83Oe1iDaizeA
1ntA2AzsC0OGg/ekAnAlxia3mzcJv0PgxRpSG7xjWSL+FVFTTs2I/wk=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=a+`
$name = "aa";

$x509 = new X509();
// $ca = $x509->loadCA(file_get_contents($ca_cert_path));
$ee = $x509->loadX509($ee_crt);

// domain name 
// echo $name; echo "\n";
if (!strpos($name, "//")) {
    $name = "https://" .  $name;
}
$ret = $x509->validateURL($name);
// echo $ret; echo "\n";
echo $ret ? 'ok' : 'error'; echo "\n";
if ($ret) {exit(0);} 
else {exit(1);}
?>

In the previous case, the + matched a, which should be an obvious name confusion. And here are other 2 cases for ur reference:

// ---- case 2
$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJ8LzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAITFxU5OdZpH9+fST/rFGvR0oUvF7kY/
+Hob9Sc+I4bFh1Ay862JNRbbTmNQRkvJ4FyMs1bBEukRXXTGZU9GSYpdWKOiK3ct
qCUTlWiwYAeqdWwUMHUj01YtUdJ7sAD8nSXm7jn4uXSH909VBg+EhBut5OkOuGN+
mJh08xfBXCOzGl22IHzkJAv2LErlJB8s43Iw6pyQ99WXK6cSaELpjp+PJvHI+Gtx
htHKqrNKPaCr34AsmrboUKrYYUUz2PZcjPSlW8vlcBF+HiTcOqH7S6P0AWUf1EN1
OrebtJKFd2HCXyvvcA3soLZtXWdnfjbpc/FQLxm41sFBCXxtzDhWzrM=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=|/`
$name = "./";

// ---- case 3
$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggIuKzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBADTpAv+TIx6i7phpAgOzx3DPuV21mVx9
4l3paNh1evTzwH6g4joQk3/s96NfvSfbJNKJRWC5tipxBnAbuiz37qZDl3GV7sQ4
9ioJ/jpeo89hN61sQlENCnz0/h6s5W79wHkqSnpYLNCz3jRNzdLGsuAh5FfBB9/z
f/b1zqXtCE4SUoHW8ADoyj42L51wA7MXXY6c7xliA5/IhpE9WX7rSUtpQUKPK9FF
udzPe28AllrZtNYg3XZFzzLqAoD2q0AtqjqetRVDUuMRU+iHemluIeIdbkTuUpR9
F96sJyHwiv6IJW7vW/2LL1kLMEnsvvU+s5/x1vLgsQjcdJCLdKOqMsc=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=.+`
$name = "./";

From the cases, it seems some characters, such as +, can act as wildcards in the phpseclib. If so, it should be a security issue. Could the developing team have a look at these cases? Many thanks.

I am looking forward to your reply.

Regards.

terrafrost commented 1 year ago

I'll try to take a look at this within the next few days. I'm doing https://www.indigoalpineguides.com/alpine-cliff-camping this evening and need to prep for that.

terrafrost commented 1 year ago

https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf4627 should fix this.

Thanks!

x509-name-testing commented 1 year ago

Thanks

On Tue, Sep 26, 2023 at 12:07 AM terrafrost @.***> wrote:

6cd6e8c https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf4627 should fix this.

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/phpseclib/phpseclib/issues/1943#issuecomment-1734052709, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCP22BXO2RIDO2CWSIQSD4TX4GT35ANCNFSM6AAAAAA476PLEU . You are receiving this because you authored the thread.Message ID: @.***>

x509-name-testing commented 5 months ago

Dear Seclib Team,

Can I get the CVE numbers for the hostname verification issue? It would be helpful for me to get a CVE assigned. And if you could help me with that would be much better. Many thanks, and looking forward to your reply and comments.

Regards, x509 Name Testing

terrafrost commented 5 months ago

I don't know how to create a CVE. All the CVE's that have been created for this project were done by Tidelift. The README.md says this of submitting security vulnerabilities:

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.

https://github.com/phpseclib/phpseclib?tab=readme-ov-file#security-contact-information

The "Tidelift security contact" link, in turn, says to email security@tidelift.com.

Even if I did know how to create CVE's I still like the process as an independent and more objective third party is deciding whether or not something merits a CVE.

If one is desired I suppose I can begin researching how to create one sometime this week. Or I can email them to see if they can retroactively create one or some such (I've never done that before either; it's always been people emailing them).

x509-name-testing commented 5 months ago

Thanks for your reply. Could you please help me to connect with the Tidelift security team? I emailed the address before but failed (it seems I was blocked? not very sure). It would also be okay if you could help me create a CVE. Many thanks in advance.

terrafrost commented 5 months ago

Did you get a bounce back or something? Send me your email to terrafrost@php.net and a copy of the error you got back and I'll send it their way!

x509-name-testing commented 5 months ago

Hi Terrafrost, I sent the email to you. Please check your mailbox. Thanks very much.

terrafrost commented 5 months ago

Got the email and forwarded it off. We'll see what we see!

On Mon, Jun 24, 2024, 9:59 AM x509-name-testing @.***> wrote:

Hi Terrafrost, I sent the email to you. Please check your mailbox. Thanks very much.

— Reply to this email directly, view it on GitHub https://github.com/phpseclib/phpseclib/issues/1943#issuecomment-2186785891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABULSV4BIROV4IU5IOQEKDZJAX53AVCNFSM6AAAAAA476PLEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBWG44DKOBZGE . You are receiving this because you commented.Message ID: @.***>