Results 1 to 4 of 4

Thread: NULL certificate CN=*\x00thoughtcrime.noisebridge.net (noisebridge-discuss)

Hybrid View

  1. #1
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Thumbs up NULL certificate CN=*\x00thoughtcrime.noisebridge.net (noisebridge-discuss)

    found this quite interesting! figured this'd be of interest to the backtrack community

    [Noisebridge-discuss] Merry Certmas! CN=*\x00thoughtcrime.noisebridge.net
    Jacob Appelbaum jacob at appelbaum.net
    Tue Sep 29 22:51:33 PDT 2009

    Hello *,

    In the spirit of giving and sharing, I felt it would be nice to enable other Noisebridgers (and friends of Noisebridge) to play around with bugs in SSL/TLS.

    Moxie was just over and we'd discussed releasing this certificate for some time. He's already released a few certificates and I thought I'd join him. In celebration of his visit to San Francisco, I wanted to release fun-times-at-moxie-marlinspike-high. This is a text file that contains a fully valid, signed certificate (with private key) that can be used to exploit the NULL certificate prefix bug[0]. The certificate is valid for * on the internet (when exploiting libnss software). The
    certificate is good for two years. It won't work for exploiting the bug for software written with the WIN32 api, they don't accept (for good reason) *! I suggest the use of Moxie's sslsniff[1] if you're so inclined to try network related testing. It may also be useful for testing code signing software.

    It's been long enough that everyone should be patched for this awesome class of bugs. This certificate and corresponding private key should help people test fairly obscure software or software they've written themselves. I hope this release will help with confirmation of the bug and with regression testing. Feel free to use this certificate for anything relating to free software too. Consider it released into the public domain of interesting integers.

    Enjoy!

    Best,
    Jacob

    [0] http://thoughtcrime.org/papers/null-prefix-attacks.pdf
    [1] Moxie Marlinspike >> software >> sslsniff
    -------------- next part --------------
    An embedded and charset-unspecified text was scrubbed...
    Name: fun-times-at-moxie-marlinspike-high
    Url: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20090929/64249b18/attachment.txt
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 155 bytes
    Desc: OpenPGP digital signature
    Url : http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20090929/64249b18/attachment.pgp
    anyone played with this yet?
    'see the fnords!'

  2. #2
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Post more null-prefix certificates... this time for paypal (Full Disclosure)

    here's another null-prefix certificate, this time for www.paypal.com - thanks goes to the Full Disclosure mailing list ;;

    null-prefix certificate for paypal

    From: Tim Jones <timjonesowns () yahoo com>
    Date: Mon, 5 Oct 2009 10:59:31 -0700 (PDT)

    If there's really a Moxie Marlinspike fan club [1], I'm definitely a member.. Attached is one of the null-prefix certificates [2] that he distributed during his "intercepting secure communication" training at Black Hat. This one's for www.paypal.com, and since the Microsoft crypto api appears to remain unpatched, it works flawlessly with sslsniff [3] against all clients on Windows (IE, Chrome, Safari). Also, because of Moxie's attacks against OCSP [4], I don't think this certificate can be revoked.

    Enjoy!

    [1]: Linux Today - SSL trick certificate published
    [2]: http://www.thoughtcrime.org/papers/n...ix-attacks.pdf
    [3]: Moxie Marlinspike >> software >> sslsniff
    [4]: http://www.thoughtcrime.org/papers/ocsp-attack.pdf

    -----BEGIN
    CERTIFICATE-----
    MIIGRDCCBa2gAwIBAgIDAPCbMA0GCSqGSIb3DQEBBQUAMIIBEj ELMAkGA1UEBhMC
    RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2 Vsb25hMSkwJwYD
    VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLj EuMCwGA1UEChQl
    Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NT EuMCwGA1UECxMl
    aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eT EuMCwGA1UEAxMl
    aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eT EgMB4GCSqGSIb3
    DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwMjI0MjMwND E3WhcNMTEwMjI0
    MjMwNDE3WjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbG lmb3JuaWExFjAU
    BgNVBAcTDVNhbiBGcmFuY2lzY28xETAPBgNVBAoTCFNlY3VyaX R5MRQwEgYDVQQL
    EwtTZWN1cmUgVW5pdDEvMC0GA1UEAxMmd3d3LnBheXBhbC5jb2 0Ac3NsLnNlY3Vy
    ZWNvbm5lY3Rpb24uY2MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMI GJAoGBANJp+m86
    ALQhG8ixAtc/GbLEbbRU+IuKzNtywp48YLnGkT2Ct32Z/9EphMFzU5yC3fwkjHfV
    QfPoHkKhrS2e/1sQJs6dVxdzFiM4yNbxuqOWWxZnSk9zlzpNFKT04j+LBYNC0dD c
    L3rlthCyEcDcISqQ/66XcVpJgaxA8zu4WbJPAgMBAAGjggMhMIIDHTAJBgNVHR
    ME
    AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCA/gwEwYDVR0lBAwwCgYI
    KwYBBQUHAwEwHQYDVR0OBBYEFGGPYTRDVRR/JwnOTIvqm3sZJbxuMB8GA1UdIwQY
    MBaAFA4HYNQ5yRtbXZB7I8jSNJ1KmkY5MAkGA1UdEQQCMAAwHA YDVR0SBBUwE4ER
    Z2VuZXJhbEBpcHNjYS5jb20wcgYJYIZIAYb4QgENBGUWY09yZ2 FuaXphdGlvbiBJ
    bmZvcm1hdGlvbiBOT1QgVkFMSURBVEVELiBDTEFTRUExIFNlcn ZlciBDZXJ0aWZp
    Y2F0ZSBpc3N1ZWQgYnkgaHR0cHM6Ly93d3cuaXBzY2EuY29tLz AvBglghkgBhvhC
    AQIEIhYgaHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi 8wQwYJYIZIAYb4
    QgEEBDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMD IvaXBzY2EyMDAy
    Q0xBU0VBMS5jcmwwRgYJYIZIAYb4QgEDBDkWN2h0dHBzOi8vd3 d3Lmlwc2NhLmNv
    bS9pcHNjYTIwMDIvcmV2b2NhdGlvbkNMQVNFQTEuaHRtbD8wQw YJYIZIAYb4QgEH
    BDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvcm VuZXdhbENMQVNF
    QTEuaHRtbD8wQQYJYIZIAYb4QgEIBDQWMmh0dHBzOi8vd3d3Lm lwc2NhLmNvbS9p
    cHNjYTIwMDIvcG9saWN5Q0xBU0VBMS5odG1sMIGDBgNVHR8EfD B6MDmgN6A1hjNo
    dHRwOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBzY2EyMD AyQ0xBU0VBMS5j
    cmwwPaA7o
    DmGN2h0dHA6Ly93d3diYWNrLmlwc2NhLmNvbS9pcHNjYTIwMDI vaXBz
    Y2EyMDAyQ0xBU0VBMS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCC sGAQUFBzABhhZo
    dHRwOi8vb2NzcC5pcHNjYS5jb20vMA0GCSqGSIb3DQEBBQUAA4 GBAGjueZeX3Tvv
    FmoG8hSabs2eEveqgxC90XyY+seu1A4snjgFnVJgqZkKgbSYkB 2uu0rXudyInjd4
    QVv3gqXyukElWpAaHkU4oVJYdZQmRPsgB7pEzOVKLXI/mEf2JtwFRgUHYyGrRpuc
    eNVUWz0MHshkjLVQI4Jv27giHEOWB6i7
    -----END CERTIFICATE-----

    -----BEGIN RSA PRIVATE
    KEY-----
    MIICXQIBAAKBgQDSafpvOgC0IRvIsQLXPxmyxG20VPiLiszbcs KePGC5xpE9grd9
    mf/RKYTBc1Ocgt38JIx31UHz6B5Coa0tnv9bECbOnVcXcxYjOMjW8 bqjllsWZ0pP
    c5c6TRSk9OI/iwWDQtHQ3C965bYQshHA3CEqkP+ul3FaSYGsQPM7uFmyTwIDAQ AB
    AoGAcqDnnOaVcYxD7Z55NLgckOYv+bj8ulCAb+DiI4AzFaIWh9 MJkXRvCAy9VQI1
    /6LPukhS+gmE55KBwb0AckUXSRC4DuPXOhgT6ywyEJGQp6IdaQm C4NoyC+G4GPnr
    h0YISVKTT1ppRgjF6tpaFvElGTse+yejtKAssduT45MoxGkCQQ Dx58UFfPCVwAho
    J7/4TXpEebYs/BuLKYwQKUuQe1B+dV2WtSaub+jbSSpRVScTpyfKRwN0w4UZzs/6
    4Zzs/erbAkEA3qx8uhMy7Dxu8zWx+C1b5LSh4Rf4sCvXug/nx3opvahO89iP5P6L
    MVplaVsVPwligUEaMsx9rJEJvt48sMEenQJBAOQlE6MOZ5TETO l2e84BvEuygodA
    qfWAlLF1UOgN9SefJ0oIxVeFAhc2lOuqJLWbU6KpgO/xqqlhbLOPbsHw5DsCQDj0
    j5acsIrCTnLBCjt7hqSyGzHTCtYs8KnzxYo9Ug3jzgYLH4soHH xMLeJL3NxZzytW
    dpgFvCN2mbKLb6SaUPUCQQCKjbXoN7DkBbk8wU0ZY5fGCtLEUH tEmT93nFgmUvQ3
    ZSB/EvhtWRPcWGdRC5tj0YxaUFevVhZA/Ng1d1JzbcKB
    -----END RSA PRIVATE KEY-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: [Full-Disclosure] Mailing List Charter
    Hosted and sponsored by Secunia - Secunia.com
    'see the fnords!'

  3. #3
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Very interesting!

  4. #4
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Default

    well, this is lame... I am posting the below story in reference to the above www.paypal.com null cert ;;

    Man banished from PayPal for showing how to hack PayPal

    Some hacking tools more equal than others
    By Dan Goodin in San Francisco
    Posted in Security, 6th October 2009 23:03 GMT

    PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

    "Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law," company representatives wrote in an email sent to the hacker, Moxie Marlinspike. "Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience."

    The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until Marlinspike submits a signed affidavit swearing he has removed the PayPal logos from his site.

    Since 2002, Marlinspike has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on Monday that PayPal took action against the account.

    "This is not something I had anything to do with, and they responded by suspending my account," Marlinspike told The Reg. "I've been the one trying to warn them of this in the first place."

    The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web's oldest and most relied upon measures for preventing man-in-the-middle attacks. It's the latest action to demonize hacker tools that can be used by security professionals for good because they can also be used by criminals for bad.

    It also flies in the face of the tacit approval of PayPal and its parent company, eBay, give to groups distributing dozens of other hacking tools. No doubt, the Wireshark packet sniffer is used regularly to reveal the passwords of unsuspecting victims, and yet its purveyors accept payments by PayPal. The same goes for the Cain & Abel and l0phtcrack password recovery tools and Remote-Exploit.org, a group whose tag line reads: "Supplying offensive security products to the world."

    A PayPal spokeswoman said the company's privacy policy prevented her from discussing Marlinspike's case. But in general, she said hacking tools are allowed in certain cases, such as when they can be used to legitimately help administrators assess the strength of user passwords.

    "We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."

    She said PayPal relies on a dedicated team with "extensive experience in information security, law enforcement, financial services and risk" to make such decisions. She didn't explain how they determined programs such as Wireshark and Cain & Abel have legitimate uses and the tools offered by Marlinspike do not. She also didn't explain why Marlinspike's banishment came less than 24 hours after the release of the bogus PayPal certificate.

    According to a note included with the certificate's release, Marlinspike distributed it during a training session at the Black Hat security conference in July. The hacker confirms he offered a class to penetration testers that taught them everything they'd need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. But he never distributed the certificate and each student signed an agreement stating the material was for evaluation purposes and was not be be publicly released, he said.

    And in any event, he never used PayPal to accept payment for the class. What's more, the only items being distributed on the PayPal-adorned pages are SSLStrip and SSLSniff. Bogus certificates were never available anywhere on the site, he said.

    So if you're a hacker who relies on PayPal, the not-so-subtle message is to make sure your projects steer clear of your online payment processor. It doesn't matter that you speak at the same conferences attended by the rest of the security world. As PayPal well knows, hacker tools can be used for good or for bad, and the company has the sole discretion to choose which is which.
    notice there how remote-exploit.org got a plug
    anyways, pretty lame.... bad paypal, bad!
    'see the fnords!'

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •