Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!
from the getting-worse-by-day dept
But it gets worse. Filippo Valsorda has shown that you didn't even need to crack Komodia's weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia's proxy client sees an invalid certificate, it just makes it valid. Seriously.
Okay, but at least there's a warning, right? Well, no, because... as Valsorda notes, there's another horrible part of the implementation that gets around this: alternative names.
At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.
Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.
The Komodia proxy copies the server certificate almost entirely... What will it do with alternative names?As Valsorda points out, because of this, attackers don't even need to know which Komodia-compromised software you're running. They can just fuck with them all.
Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it's a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.
An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
Thought we were done with how bad this is? Nope. Not yet.
Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.
Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What's really stunning is that many of these products actually pitch themselves as "security" products to better "protect" your computer.