iSEC Partners Security Advisory - 2007-006-RubySSL
http://www.isecpartners.com
--------------------------------------------

Ruby Net::HTTPS library does not validate server certificate CN

Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby
Systems Affected: All Ruby Platforms
Severity: Medium - Compromise of SSL connection integrity
Author: Chris Clark <cclark[at]isecpartners[dot]com>

Vendor notified: Yes
Public release: Yes
Advisory URL: http://www.isecpartners.com/advisori...06-rubyssl.txt

Summary:
--------
The Ruby Net::HTTP and Net::HTTPS library can be used to make HTTP or HTTPS
connections to remote websites. There are several methods for performing t=
hese
types of connections within the Ruby standard library but the Net::HTTP lib=
rary
is recommended going forward.

A vulnerability results from the Net::HTTPS library failing to validate the=
name
on the SSL certificate agains the DNS name requested by the user. By not
validating the name, the library allows an attacker to present a
cryptographically valid certificate with an invalid CN.

Details:
--------
The vulnerability is caused by the method connect within http.rb file faili=
ng to
call post_connection_check after the SSL connection has been negotiated. S=
ince
the server certificates CN is not validated against the requested DNS name,
the attacker can impersonate the target server in a SSL connection. The
integrity and confidentiality benefits of SSL are removed by this vulnerabi=
lity.

Example:

If the application uses the following code to connect to the ip address of
https://www.citicards.com:

url =3D "192.193.222.24" #www.citicards.com IP
path =3D "/"
http =3D Net::HTTP.new(url, 443)
http.use_ssl =3D true
http.ca_file =3D "verisign.pem"
http.verify_mode =3D OpenSSL::SSL::VERIFY_PEER
resp, data =3D http.get(path, nil)

The connection will succeed. This is an obvious failure as the certificate
presented has a CN of www.citicards.com. One caveat is that the attacker m=
ust
possess a certificate signed by the CA specified in the ca_file attribute.


Fix Information:
----------------
This issue has been addressed by adding the appropriate post connection che=
ck
within http.rb. These patches add the enable_post_connection parameter, wh=
ich
if set to true, will cause the Net::HTTP library to raise an exception when=
the
post connection check fails.

The following trunk Ruby checkin contains the related changes:
http://svn.ruby-lang.org/cgi-bin/vie...vision=3D13499
http://svn.ruby-lang.org/cgi-bin/vie...vision=3D13500

Ruby 1.8.5:
http://svn.ruby-lang.org/cgi-bin/vie...vision=3D13502

Ruby 1.8.6:
http://svn.ruby-lang.org/cgi-bin/vie...vision=3D13504


Thanks to:
----------
Rachel Engel, GOTOU Yuuzou, and Minero Aoki

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification, with offices in San Francisco,
Seattle, Ewa Beach, and Los Angeles.

http://www.isecpartners.com
info@isecpartners.com