Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!
from the getting-worse-by-day dept
With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don’t recall, last week it came out that Lenovo was installing a bit of software called “Superfish” as a default bloatware on a bunch of its “consumer” laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) “SSL hijacker” from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: “komodia” which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.
But it gets worse. Filippo Valsorda has shown that you didn’t even need to crack Komodia’s weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia’s proxy client sees an invalid certificate, it just makes it valid. Seriously.
At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.
Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.
Okay, but at least there’s a warning, right? Well, no, because… as Valsorda notes, there’s another horrible part of the implementation that gets around this: alternative names.
The Komodia proxy copies the server certificate almost entirely… What will it do with alternative names?
Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it’s a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.
An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
As Valsorda points out, because of this, attackers don’t even need to know which Komodia-compromised software you’re running. They can just fuck with them all.
Thought we were done with how bad this is? Nope. Not yet.
Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.
Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What’s really stunning is that many of these products actually pitch themselves as “security” products to better “protect” your computer.