Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fix MiM Security vulnerability: missing SSL hostname validation #1

Merged
2 commits merged into from
Sep 17, 2020
Merged

Fix MiM Security vulnerability: missing SSL hostname validation #1

2 commits merged into from
Sep 17, 2020

Conversation

alromh87
Copy link

@alromh87 alromh87 commented Sep 13, 2020
edited
Loading

📊 Metadata *

em-imap is a gem that allows you to connect to an IMAP4rev1 server in a non-blocking fashion.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The hostname in a TLS server certificate is not verified. An attacker can acquire the identity of a trusted server and implement malicious data.

Bounty URL: https://www.huntr.dev/bounties/1-rubygems-em-imap/

⚙️ Description *

SSL validation was not implemented making em-imap vulnerable to MiM attacks, fixed adding validations.

💻 Technical Description *

ssl_verify_peer param is eneabled when calling connect from EventMachine::Connection, this will call ssl_verify_peer and ssl_handshake_completed of the connection module for the calling programm to implement validation logic.

Validation of Server certificate was implemented using openssl based on code from:
lostisland/faraday@63cf47c

🐛 Proof of Concept (PoC) *

  1. Add a fake DNS entry to /etc/hosts.
    echo "127.0.0.1 test.imap.gmail.com" | sudo tee -a /etc/hosts

  2. Create a certificate.
    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

  3. Listen on port 443 with TLS enabled.
    openssl s_server -key key.pem -cert cert.pem -accept 443

  4. Create sample client:

#clientPoc.rb
require 'rubygems'
require 'em-imap'

EM::run do
  client = EM::IMAP.new('test.imap.gmail.com', 993, true)
  client.connect.errback do |error|
    puts "Connecting failed: #{error}"
  end.callback do |hello_response|
    puts "Connecting succeeded!"
    puts hello_response
  end.bothback do
    EM::stop
  end
end
  1. Run the test client
    ruby clientPoc.rb
  2. Client will connect ignoring the self signed certificate

Captura de pantalla de 2020-09-14 01-48-21

🔥 Proof of Fix (PoF) *

After fix Invalid certificate is detected and connection terminated

Captura de pantalla de 2020-09-14 01-49-05

Valid certificate for wrong server will also be detected and connection aborted

imapWrogN

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

imapOK

Mik317
Mik317 approved these changes Sep 16, 2020
View reviewed changes
Copy link

@Mik317 Mik317 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😄 🎉

Cheers,
Mik

mufeedvh
mufeedvh approved these changes Sep 17, 2020
View reviewed changes
Copy link

@mufeedvh mufeedvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean fix! 👏🔥

LGTM

@ghost ghost merged commit a562f68 into 418sec:master Sep 17, 2020
@huntr-helper
Copy link

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord

This was referenced Sep 17, 2020
Closed
Merged
This pull request was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Mik317 Mik317 Mik317 approved these changes

@mufeedvh mufeedvh mufeedvh approved these changes

@toufik-airane toufik-airane Awaiting requested review from toufik-airane

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alromh87 @huntr-helper @mufeedvh @Mik317