Red Hat Bugzilla – Bug 127186
CAN-2004-0758 Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email
Last modified: 2007-11-30 17:07:02 EST
Description of problem:
/*(see https://banquo.inf.ethz.ch:8080/ for a close description)*/
/*Mozilla.org has been informed and a bug has been filed*/
Importing a self-made certificate (call it x) with the same DN as a
built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an
error -8182 ('certificate presented by xyz.com is invalid or corrupt')
-> Denial of Service.
This could be automated when importing x via mime type
application/x-x509-email-cert, causing Mozilla to import the cert
silently (bug Nr. 2).
This is also possible via email messages, calling the cert x link
inside an <iframe> tag, leading to a silent import of x when opening
or previewing the message (bug Nr. 3).
Conclusion: fully automatical DoS of the entire cert store via email
is possible, no user interaction needed.
always. Tested with Mozilla 1.6 and 1.7
Mozilla 1.0.2 is NOT vulnerable.
Steps to Reproduce:
1. craft a self-signed cert (openssl) with the same DN as a built-in
CA root cert.
2. import it into the cert store, either manually or by providing it
encoded using the mime content type application/x-x509-email-cert for
3. Your certificate store is "corrupted" from this time on: open a web
protected by an SSL certificate signed by the root CA cert you've been
forging and you'll get an error -8182.
4. The same could be reached via email when including an <ifram>
pointing to the
certs' location, leading to fully automatical silent import of the cert.
Mozilla imports the "forged" root cert into the "authorities" tab of
manager as an untrusted root. You can identify it by the column "security
device": its stored in the "software security device" instead of the
Object Token". However your certificate store is "corrupted" from this
open a web site protected by an SSL certificate signed by the root CA cert
you've been forging and you'll get an error -8182.
Mozilla silently (without any warning/message!) imports the root cert
"authorities" tab of the cert manager as an untrusted root when
serving it as
type application/x-x509-email-cert. According to the principles
Clarity for 'safe and secure CA-related UI-Dialogs' proposed in
chapter 4.2. of
my diploma thesis, instead of no user-feedback, an adequate treatment
situation would be to show the import dialogue.
During my diploma thesis on Rogue CA's possibilities, one part of the
work was to evaluate today's browsing software.
Contact me: This bug was found as part of my diploma thesis which is
still going on. If you have any suggestions or ideas, contact me at
email@example.com (PGP Key: 0x0AA132A7141D27C8
already reported as http://bugzilla.mozilla.org/show_bug.cgi?id=249004
on 040629, but no reaction there ?!?! Also, no echo from reporting to
cert.org 2 days ago...
The bug is also tracked at
Will be part of a Mozilla 1.4.3 update for RHEL users shortly.
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.