[Security][SSL] Self signed certificate seems to be always accepted.

[jklmnn]

Expected behaviour

When a self signed certificate is used and the warning is shown, clicking Cancel should not build up a connection.

Actual behaviour

When the warning is shown, a connection is build up, even if you have clicked Cancel.

Steps to reproduce

1. Run ownCloud desktop client.
2. Intercept traffic and set up mitm attack.
3. Wait for certificate warning and click Cancel.
4. See traffic in mitm.

Server configuration

Operating system: Debian 8.0

Web server: Apache 2.4

Database: Sqlite 3.8

PHP version: 5.6

ownCloud version: 8.0.3

Storage backend: SQLite

Client configuration

Client version: 1.8.1+dfsg-1

Operating system: Debian Stretch

OS language: German

Installation path of client: /usr/bin/owncloud

[LukasReschke]

@jklmnn Thanks for reporting this issue back to us. Generally speaking please always contact security@owncloud.com in case of a potential security bug. For now we will handle this one public though.

cc @danimo Can you take a look? THX.

[danimo]

@jklmnn I've just tried your steps to reproduce (although with our package repo, and on Ubuntu 14.04), but I have not been able to get any data transferred to mitmproxy so far. @LukasReschke will give it another try.

[danimo]

@jklmnn Are you using bandwidth limiting? Does this link against Qt4 or Qt5?

[jklmnn]

I'm not using a bandwith limit, and it's linking against Qt5.

[jklmnn]

I examined it further and it does not appear if the connection was mitmed before owncloud was started. when you start the client and cancel the certificate it shows an ssl error (as expected). But when you already have a connection that is getting hijacked then the new certificate will be used, either if you accepted it or not.

[LukasReschke]

Couldn't reproduce as well. What I did:

1. Install Debian 8.0 without any GUI
2. Login
3. Install Gnome using tasksel install gnome-desktop --new-install
4. Reboot
5. sudo su
6. apt-get install owncloud-client
7. Start the ownCloud client (owncloud --logwindow) and connect against a HTTPS protected host
8. Try to sync files: Works
9. Install Ettercap on another machine: apt-get install ettercap-graphical
10. Edit /etc/ettercap/etter.conf and change ec_uid and ec_gid to 0, also comment out the redir_command_on and redir_command_off iptable rules
11. sysctl -w net.ipv4.ip_forward=1 + echo 1 > /proc/sys/net/ipv4/ip_forward
12. Start ettercap, the first IP is the gateway IP the later the IP of the Debian host with ownCloud client: ettercap --text -i eth0 --mitm arp:remote //10.211.55.1// //10.211.55.17// -a /etc/ettercap/etter.conf
13. Wait a little bit till it is in effect, see certificate warning -> Click cancel

Following error appears in the log output:

05-27 16:41:42:646 void Mirall::AbstractNetworkJob::slotFinished() 6 "SSL handshake failed" 
05-27 16:41:42:647 SSL-Errors happened for url  "https://cloud.ostsinn.ch/remote.php/webdav/" 
05-27 16:41:42:647  Error in  QSslCertificate( "3" , "e7:81:df:a0:09:6b:5d:1c:52:d1:90:b9:8a:da:55:a2" , "vqXftJTVqleg4Dj9HPh48Q==" , "COMODO CA Limited" , "" , QMap() , QDateTime("Thu Apr 2 00:00:00 2015") , QDateTime("Sun Apr 1 23:59:59 2018") ) : "The host name did not match any of the valid hosts for this certificate" ( "The host name did not match any of the valid hosts for this certificate" ) 
05-27 16:41:42:648  Error in  QSslCertificate( "3" , "e7:81:df:a0:09:6b:5d:1c:52:d1:90:b9:8a:da:55:a2" , "vqXftJTVqleg4Dj9HPh48Q==" , "COMODO CA Limited" , "" , QMap() , QDateTime("Thu Apr 2 00:00:00 2015") , QDateTime("Sun Apr 1 23:59:59 2018") ) : "The issuer certificate of a locally looked up certificate could not be found" ( "The issuer certificate of a locally looked up certificate could not be found" ) 
05-27 16:41:42:648  Error in  QSslCertificate( "3" , "e7:81:df:a0:09:6b:5d:1c:52:d1:90:b9:8a:da:55:a2" , "vqXftJTVqleg4Dj9HPh48Q==" , "COMODO CA Limited" , "" , QMap() , QDateTime("Thu Apr 2 00:00:00 2015") , QDateTime("Sun Apr 1 23:59:59 2018") ) : "The root CA certificate is not trusted for this purpose" ( "The root CA certificate is not trusted for this purpose" ) 
05-27 16:41:42:649  Error in  QSslCertificate( "3" , "e7:81:df:a0:09:6b:5d:1c:52:d1:90:b9:8a:da:55:a2" , "vqXftJTVqleg4Dj9HPh48Q==" , "COMODO CA Limited" , "" , QMap() , QDateTime("Thu Apr 2 00:00:00 2015") , QDateTime("Sun Apr 1 23:59:59 2018") ) : "No certificates could be verified" ( "No certificates could be verified" ) 
05-27 16:41:42:649 Certs not trusted by user decision, returning. 
05-27 16:41:42:650 void Mirall::AbstractNetworkJob::slotFinished() 6 "SSL handshake failed" 
05-27 16:41:42:653 Sync state changed for folder  "ownCloud" :  "Not availabe" 
05-27 16:41:42:653 SocketApi:  Broadcasting to 0 listeners:  "UPDATE_VIEW" 

ettercap is not receiving any further requests.

@jklmnn Would it possible to provide more detailled reproduction steps? Thanks.

[jklmnn]

I will describe how I have set up the network. I can give you further logs when I'm back at home.

1. I have one PC with Debian 8.0 installed which is my router. tun0 goes to a VPN and eth1 creates a local network. I'll call this one router.
2. On the router mitmproxy is installed aptitude install mitmproxy.
3. The PC with the owncloud client (let's call it just client) has installed Debian testing/strech with KDE.
4. Installed owncloud client from deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_8.0/ / aptitude install owncloud-client owncloud-client-l10n
5. Start owncloud client owncloud (I didn't have logs this time), login and sync
6. Set up iptables on router iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
7. Start mitmproxy on router mitmproxy -T --host (starts by default on *:8080)
8. See certificate warning and click cancel (since it's german i clicked "Abbrechen", idk if this has any relevance)
9. Wait for owncloud client to connect and sync, view syncs in mitmproxy.

When I get back home (I think this weekend), I'll give you logs, screenshots and more detailed info.

[LukasReschke]

I performed your steps as well and still experience the expected behaviour. Mitmproxy does not show any requests originated to that host and the ownCloud client fails hard. See attached video:

[LukasReschke]

Left: The host that acts as gateway running mitmproxy as well as Wireshark.
Right: The client system.

[jklmnn]

Here's my screen record: http://jkliemann.de/media/owncloud.ogv
I hope, it's ok, I'm not a master in screen records.

[LukasReschke]

Interesting. We have some suspicions and to prove those we would really welcome if you could provide us with a test account to your instance as well as the public certificate of the CA that you installed on your system.

Would that be something you could do? – Non-admin account would be fine. My mail address can be found in my profile.