New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security][SSL] Self signed certificate seems to be always accepted. #3283
Comments
|
@jklmnn Thanks for reporting this issue back to us. Generally speaking please always contact security@owncloud.com in case of a potential security bug. For now we will handle this one public though. cc @danimo Can you take a look? THX. |
|
@jklmnn I've just tried your steps to reproduce (although with our package repo, and on Ubuntu 14.04), but I have not been able to get any data transferred to mitmproxy so far. @LukasReschke will give it another try. |
|
@jklmnn Are you using bandwidth limiting? Does this link against Qt4 or Qt5? |
|
I'm not using a bandwith limit, and it's linking against Qt5. |
|
I examined it further and it does not appear if the connection was mitmed before owncloud was started. when you start the client and cancel the certificate it shows an ssl error (as expected). But when you already have a connection that is getting hijacked then the new certificate will be used, either if you accepted it or not. |
|
Couldn't reproduce as well. What I did:
Following error appears in the log output: ettercap is not receiving any further requests. @jklmnn Would it possible to provide more detailled reproduction steps? Thanks. |
|
I will describe how I have set up the network. I can give you further logs when I'm back at home.
When I get back home (I think this weekend), I'll give you logs, screenshots and more detailed info. |
|
Left: The host that acts as gateway running mitmproxy as well as Wireshark. |
|
Here's my screen record: http://jkliemann.de/media/owncloud.ogv |
|
Interesting. We have some suspicions and to prove those we would really welcome if you could provide us with a test account to your instance as well as the public certificate of the CA that you installed on your system. Would that be something you could do? – Non-admin account would be fine. My mail address can be found in my profile. |
|
I have contacted you. |
|
Thanks, @jklmnn for the access credentials. Our investigation has showed that in case of a self-signed certificate that got imported in the client this behaviour can indeed be reproduced. To be exploitable the following scenarios needs to be fulfilled:
@jklmnn Can you confirm that General\CaCertificates="@ByteArray(-----BEGIN CERTIFICATE-----\nMIIFRjCCAy6gAwIBAgICEAEwDQYJKoZIhvcNAQENBQAwcTELMAkGA1UEBhMCREUx\nEDAOBgNVBAgMB1NhY2hzZW4xEDAOBgNVBAcMB0RyZXNkZW4xJjAkBgNVBAoMHXh5\ndWN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDDA14eXVjdCBSb290\nIENBMB4XDTEzMTEwMzA5MzcwN1oXDTIzMTEwMTA5MzcwN1owYTELMAkGA1UEBhMC\nREUxEDAOBgNVBAgMB1NhY2hzZW4xEDAOBgNVBAcMB0RyZXNkZW4xEjAQBgNVBAoM\nCUpLbGllbWFubjEaMBgGA1UEAwwRSm9oYW5uZXMgS2xpZW1hbm4wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4uS4zK6GimXwNeUtOnXjH0UHHMBTHiRhR\nOEy2wCaosj5kENMZy1NefgrKHmNpMHnBihRJkWKMjET//h5m/FLsMfjHXgJnpdVK\nzBi5kpCoMMPvrjlp3gj+MJG3/80sOCvXLHgTiHS07er9cr1GGOEBl9jGeTIIhTwC\n1QNhCdisEvJGXJKvcBXe8sH+lnYADDT8k4o8Z4u/+5rKMUppNmsFuzL8aTZMhLkR\nv/MdcV+nV5PhETdguND51FJViGO9ExDGfosodytisC6obc+A9qsnPsHpP7bm5HL8\nsNgKZ24uSQ/gp5gBsa20vfUxuV45a1XY6owYqWmtbr/7ntqsm3irAgMBAAGjgfcw\ngfQwHQYDVR0OBBYEFMDzCI52+gnN8jQ/fRbYOLGg3ULYMIGjBgNVHSMEgZswgZiA\nFC/L/2dqBKmYrs/QlDf4vy4Bwb8xoXWkczBxMQswCQYDVQQGEwJERTEQMA4GA1UE\nCAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjEmMCQGA1UECgwdeHl1Y3QgQ2Vy\ndGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMMDXh5dWN0IFJvb3QgQ0GCCQC/\nYfJgQZCwSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAJBgNV\nHREEAjAAMA0GCSqGSIb3DQEBDQUAA4ICAQB7x3TeL+wbqVFvZcsbrKx9PZdndg6W\nSepgNmYqfiE5pBNlRu5BZgb1A/b/KmCzqsRTJDJxqG1i4KOAqRkppS34sVNPwoma\nfBVV18QVWLUTTipNYlN6cKN3wKPWOUEgK6lWH5H/7QiEAeTNwYQ67bDK7LCioPrE\ndRu9BrIN6oCdzT9HBr7Ms9J5X9OODzQbKnPu+IjFVZJZBfHvs1NYV0TYCwLpT/Gu\nyYJy1cDid991xHSThS262Ps/pOzv27vOXTet+M3o/e4SWU5QWPwwf+pCG5kBri2R\nm0R+Qn1diNdwl1k+rP2lL5aB69AWK+oTTv4wfRaWCAEG6E5yKhuXukNCzZhse7kV\nbLc7OmNmICbJ2BB6p+wCdJqHpWYIUOIRCrhNeAvYe9IL3JHLblOtvqtQcFo0V1+D\n1gz3y0elxGb2gOsUcyhJQaC5+w5GGt9I7rQkmAJQyk7XdS2Nuu7OMGNIhuPWjOSG\nkwWp4R2un5R8qSdvc2QtoRHjJ9l6hRUiLpO5GE+jvOMLxxuzWPtDVoq5g0L/52ab\nyno+dLzxu0X3DKxyQlONogFX8vbXa49JQ7uRdk3vdmvqWcUPUlPDONJEBl4iXeX5\nT+BT3WLTKwOKZGKR309QgAv98wq9Jve1iRuYZ/V9AjEZvMbqLtjV7Oc4Q4wpk/fD\n1asSZIou/WbE4Q==\n-----END CERTIFICATE-----\n\n)"If so would you be able to remove this entry from your client and let us know if you if you experience the same behaviour if the certificate has been imported to the system instead? I were able to import it by putting it into @cmonteroluque Please schedule this for the next client release. Security considers this as a critical security bug for deployments using self-signed certificates. – This needs to get fixed for all affected releases as soon as possible, I will push advisories as well as soon as we have determined the root cause (as we have a work around) |
|
I had this line in my config and I can confirm that your workaround works. |
|
A fix was merged, three people verified that the fix is working. I am closing this directly instead of adding the ReadyToTest flag. |
I'm confident this is unnecessary. The original bug in owncloud#3283 was to call ignoreSslErrors() without an argument in the 'accept' case, which meant ignoring *all* subsequent SSL errors. With that fixed, explicitly aborting the reply and resetting QNAM is not needed since not ignoring the error will lead to the SSL handshake failing. See also: 75b38d1 (workaround introduced) 89376e1 (real fix) 76ce5ad (cherry-pick of workaround)
I'm confident this is unnecessary. The original bug in #3283 was to call ignoreSslErrors() without an argument in the 'accept' case, which meant ignoring *all* subsequent SSL errors. With that fixed, explicitly aborting the reply and resetting QNAM is not needed since not ignoring the error will lead to the SSL handshake failing. See also: 75b38d1 (workaround introduced) 89376e1 (real fix) 76ce5ad (cherry-pick of workaround)

Expected behaviour
When a self signed certificate is used and the warning is shown, clicking Cancel should not build up a connection.
Actual behaviour
When the warning is shown, a connection is build up, even if you have clicked Cancel.
Steps to reproduce
Server configuration
Operating system: Debian 8.0
Web server: Apache 2.4
Database: Sqlite 3.8
PHP version: 5.6
ownCloud version: 8.0.3
Storage backend: SQLite
Client configuration
Client version: 1.8.1+dfsg-1
Operating system: Debian Stretch
OS language: German
Installation path of client: /usr/bin/owncloud
The text was updated successfully, but these errors were encountered: