Monday, March 21, 2016

StartSSL Domain validation (Vulnerability discovered).

StartSSL certificate authority is well known for offering free domain validated SSL certificates, and also sells organisation and extended validation certificates. 




Certificate authorities had a several security breaches over the years, in 15 June, 2011 a hacker called ComodoHacker managed to fraudulently issue several valid certificates, including ones for the login pages of Yahoo and Skype. Which later got revoked and black listed.
more than 25 thousand websites in Netcraft's SSL survey use certificates issued by StartSSL. These are recognised by Internet Explorer, Firefox, Chrome and other mainstream browsers.

In 9 March, 2016 During my research I was able to replicate the attack and issue valid certificates without verifying the ownership of the website which I will explain later in my post, the vulnerability was reported and fixed within hours. 


How it's done?

StartSSL has only one way to validate the ownership of a domain name which is through a predefined list of emails (such as Webmaster,Postmaster and Hostmaster) that are in the same domain you are trying to verify. This method is rarely used, instead for the domain validation most certificate authorities ask the domain owner to place a certain file in their websites.

In our case, the first method has an invalidated input vulnerability (Read more: https://www.owasp.org/index.php/A1_2004_Unvalidated_Input) that allowed me to tamper the HTTP request and modify the email address to a regular email address such as Gmail instead of emails in the same domain.

As an example let's take (www.aso0om.com) to issue a certificate for.    


After choosing the domain validation option, you will be asked to provide the domain name you wish to validate.
In the last step of the validation process is where you can modify the email address and replace it with any regular email address (Highlighted in yellow) since it lacks a proper input validation. 

As a proof i've changed the email address to my Hotmail inbox.
 After submitting the verification code to the control panel, I got the domain name verified and now I can issue an SSL certificate for that domain.  Vuola!


Edit 1(Mar. 23, 2016): StartSSL just announced in their official website that the bug was achieved due to the email address was matching the WHOIS records of the domain name. Although it was not listed in the predefined email list but was accepted in the server back-end.

Edit 2(Mar. 23, 2016): StartCom announces the logging of all SSL certificates it issues to the public Certificate Transparency (CT) log servers starting today. All issued SSL certificates will contain the special embedded SCT data necessary to verify the log submission.