Hack SSL Certificates & CA's 0Day PoC

[snowshell]

Ok, here's a little article you may or may not find interesting, lets talk about smashing SSL CA security. You've heard about it in the news of late, another CA provider getting hacked etc, but just how hard or easy is it?

How hard or easy is it to hack a root CA steal their certificate and use it for a Man in the Middle with SSLsniff?!

Well first we need to appreciate what an SSL Certificate is, it's just a re-generated certificate that you've bought from a signing authority who has then issued it back to you.

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

With me so far? Good... So lets apply some thinking here... How do we take someone else's Digital Identity Certificate and steal it and then forge a CSR or certification request so we can use it for our evil intent?!

Well I am going to introduce two tools we can download and use in firefox that will perform these actions, the first one is called the Key Manager For Firefox...

Described by its creator as;
KeyManager is a client side PKI tool for key generation, certificate enrollment, CRL signing, identity and authority delegation.

https://addons.mozilla.org/en-US/firefox/addon/4471

The next tool we are going to need for Firefox is called Cert Viewer Plus.

https://addons.mozilla.org/firefox/addon/1964/

Described by it's creator as;
Certificate viewer enhancements: PEM format view, file export & trust configuration.

Once we've installed both of these tools, then we're just about ready to hack just about any Certificate Authority on Planet Earth.

So lets pick someone or a target to hack... someone paying for a premium Platinum SSL for example, who wont really mind if we come along and borrow there's for a demonstration.. I know let's borrow (steal) and export an SSL certificate from PAYPAL (I've never liked them!)

Click on View the PEM to see the whole Certificate Contents and Headers;
example:
Certification path for "www.paypal.com"
Subject: OID.1.3.6.1.4.1.311.60.2.1.3=US,OID.1.3.6.1.4.1.311.60.2.1.2=Delaware,OID.2.5.4.15=Private Organization,serialNumber=3014267,C=US,postalCode=95131-2021,ST=California,L=San Jose,OID.2.5.4.9=2211 N 1st St,O="PayPal, Inc.",OU=PayPal Production,CN=www.paypal.com
Issuer: C=US,O="VeriSign, Inc.",OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL CA
Validity: from 23/03/11 00:00:00 UTC to 01/04/13 23:59:59 UTC

Well I've never agreed with VeriSigns Terms of Use either so we'll have to get rid of those... Next we click on Export to export the certificate to a file.

Save it as x.509 certificate (PEM) in your My Documents folder... Next fire up the Key Manager.

Click on the Servers Tab and click import and in the browser window drop down the list to All Files and import the PEM you just saved.

Then click Ok and goto Cert Mgmt and click sign Cert as CA. Click CSR Source Cert Button and select the PAYPAL certificate you just loaded.

Click sign and use your own CA which you should have had the brains to setup before hand with a Generic CA profile (oops may have forgot to mention that bit) and your done.

You can now use the exported Cert in the issuer database or where-ever you stuck it to perform Man in the Middle attacks with SSLsniff on PAYPAL!

Enjoy!

Caveat:

I may have forgotten to mention a few bits on purpose, like you have to right click view page info and then click the security tab to swipe certificates from site's your viewing with SSL.

There is also a proxy to and from option, but I am sure those of you with the brain can figure out how those bits would be advantageous.

Also if your interested in better security heres some tips;
1> use TCPCRYPT it's been available for quite a while now and addresses this very issue.
2> DO NOT share your SSL certificates with anyone.

Inventor of SSL to Moxie Marlinspike "oh yeah that whole authenticity thing, that was just a hand-wave!"