Description of problem: /*(see https://banquo.inf.ethz.ch:8080/ for a close description)*/ /*Mozilla.org has been informed and a bug has been filed*/ Importing a self-made certificate (call it x) with the same DN as a built-in CA root cert (called b) overrides the built-in one: trying to open a SSL page protected by a cert signed by b throws an error -8182 ('certificate presented by xyz.com is invalid or corrupt') -> Denial of Service. This could be automated when importing x via mime type application/x-x509-email-cert, causing Mozilla to import the cert silently (bug Nr. 2). This is also possible via email messages, calling the cert x link inside an <iframe> tag, leading to a silent import of x when opening or previewing the message (bug Nr. 3). Conclusion: fully automatical DoS of the entire cert store via email is possible, no user interaction needed. How reproducible: always. Tested with Mozilla 1.6 and 1.7 Mozilla 1.0.2 is NOT vulnerable. Steps to Reproduce: 1. craft a self-signed cert (openssl) with the same DN as a built-in CA root cert. 2. import it into the cert store, either manually or by providing it as pem encoded using the mime content type application/x-x509-email-cert for _silent import_. 3. Your certificate store is "corrupted" from this time on: open a web site protected by an SSL certificate signed by the root CA cert you've been forging and you'll get an error -8182. 4. The same could be reached via email when including an <ifram> pointing to the certs' location, leading to fully automatical silent import of the cert. Actual Results: Mozilla imports the "forged" root cert into the "authorities" tab of the cert manager as an untrusted root. You can identify it by the column "security device": its stored in the "software security device" instead of the "Builtin Object Token". However your certificate store is "corrupted" from this time on: open a web site protected by an SSL certificate signed by the root CA cert you've been forging and you'll get an error -8182. Expected Results: Mozilla silently (without any warning/message!) imports the root cert into the "authorities" tab of the cert manager as an untrusted root when serving it as type application/x-x509-email-cert. According to the principles Visibility and Clarity for 'safe and secure CA-related UI-Dialogs' proposed in chapter 4.2. of my diploma thesis, instead of no user-feedback, an adequate treatment of this situation would be to show the import dialogue. During my diploma thesis on Rogue CA's possibilities, one part of the work was to evaluate today's browsing software. Contact me: This bug was found as part of my diploma thesis which is still going on. If you have any suggestions or ideas, contact me at marboesc.ch (PGP Key: 0x0AA132A7141D27C8
already reported as http://bugzilla.mozilla.org/show_bug.cgi?id=249004 on 040629, but no reaction there ?!?! Also, no echo from reporting to cert.org 2 days ago...
The bug is also tracked at Http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257559
Will be part of a Mozilla 1.4.3 update for RHEL users shortly.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-421.html