SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238)

[tiran]

BPO	18709
Nosy	@warsaw, @birkenfeld, @vstinner, @larryhastings, @tiran, @benjaminp, @merwok, @dstufft, @abn
Files	nullbytecert.pem: Malicious certificate CVE-2013-4073_py34.patch: Patch for Python 3.4 CVE-2013-4073_py33.patch: Patch for Python 3.3 CVE-2013-4073_py27.patch: Patch for Python 2.7 CVE-2013-4073_py26.patch CVE-2013-4238-py31.patch: Patch for Python 3.1 CVE-2013-4238-py32.patch: Patch for Python 3.2

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/birkenfeld'
closed_at = <Date 2014-09-30.12:47:58.447>
created_at = <Date 2013-08-12.11:32:52.317>
labels = ['type-security', 'extension-modules', 'release-blocker']
title = 'SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238)'
updated_at = <Date 2018-08-14.12:45:53.022>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2018-08-14.12:45:53.022>
actor = 'christian.heimes'
assignee = 'georg.brandl'
closed = True
closed_date = <Date 2014-09-30.12:47:58.447>
closer = 'georg.brandl'
components = ['Extension Modules']
creation = <Date 2013-08-12.11:32:52.317>
creator = 'christian.heimes'
dependencies = []
files = ['31240', '31241', '31242', '31243', '31309', '31330', '31331']
hgrepos = []
issue_num = 18709
keywords = ['patch']
message_count = 31.0
messages = ['194944', '194945', '194958', '194959', '195043', '195056', '195069', '195307', '195347', '195438', '195440', '195992', '196113', '196121', '196122', '196565', '196566', '196776', '196777', '196779', '196999', '197692', '197793', '200343', '200377', '200395', '203168', '214973', '227894', '323510', '323514']
nosy_count = 13.0
nosy_names = ['barry', 'georg.brandl', 'vstinner', 'larry', 'christian.heimes', 'benjamin.peterson', 'eric.araujo', 'Arfrever', 'python-dev', 'dstufft', 'abn', 'sYnfo', 'Anuj']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue18709'
versions = ['Python 3.2']

[tiran]

Ryan Sleevi of the Google Chrome Security Team has informed us that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. It's related to Ruby's CVE-2013-4073 http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

Although Python uses a slightly different OpenSSL API to parse a X.509 certificate and turn its fields into a dictionary, our implementation eventually uses an OpenSSL function that fails to handle NULL bytes. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names.

When the Ruby issues was announced publicly I already suspected that our code may suffer from the same issue. But I was unable to generate a X.509 certificate with a NULL byte in its X509v3 subjectAltName extension, only in subject and issuer. OpenSSL's config file format just didn't support NULL bytes. But Our code handled the NULL byte in subject in issuer just fine so I gave up. In the light of the bug report I went a different path and eventually I came up with a malicious certificate that showed the reported bug.

[tiran]

Demo certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Validity
Not Before: Aug 7 13:11:52 2013 GMT
Not After : Aug 7 13:12:52 2013 GMT
Subject: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:ea:ed:c9:fb:46:7d:6f:3b:76:80:dd:3a:f3:
03:94:0b:a7:a6:db:ec:1d:df:ff:23:74:08:9d:97:
16:3f:a3:a4:7b:3e:1b:0e:96:59:25:03:a7:26:e2:
88:a9:cf:79:cd:f7:04:56:b0:ab:79:32:6e:59:c1:
32:30:54:eb:58:a8:cb:91:f0:42:a5:64:27:cb:d4:
56:31:88:52:ad:cf:bd:7f:f0:06:64:1f:cc:27:b8:
a3:8b:8c:f3:d8:29:1f:25:0b:f5:46:06:1b:ca:02:
45:ad:7b:76:0a:9c:bf:bb:b9:ae:0d:16:ab:60:75:
ae:06:3e:9c:7c:31:dc:92:2f:29:1a:e0:4b:0c:91:
90:6c:e9:37:c5:90:d7:2a:d7:97:15:a3:80:8f:5d:
7b:49:8f:54:30:d4:97:2c:1c:5b:37:b5:ab:69:30:
68:43:d3:33:78:4b:02:60:f5:3c:44:80:a1:8f:e7:
f0:0f:d1:5e:87:9e:46:cf:62:fc:f9:bf:0c:65:12:
f1:93:c8:35:79:3f:c8:ec:ec:47:f5:ef:be:44:d5:
ae:82:1e:2d:9a:9f:98:5a:67:65:e1:74:70:7c:cb:
d3:c2:ce:0e:45:49:27:dc:e3:2d:d4:fb:48:0e:2f:
9e:77:b8:14:46:c0:c4:36:ca:02:ae:6a:91:8c:da:
2f:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
*************************************************************
WARNING: The values for DNS, email and URI are WRONG. OpenSSL
doesn't print the text after a NULL byte.
*************************************************************
DNS:altnull.python.org, email:null@python.org, URI:http://null.python.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
Signature Algorithm: sha1WithRSAEncryption
ac:4f:45:ef:7d:49:a8:21:70:8e:88:59:3e:d4:36:42:70:f5:
a3:bd:8b:d7:a8:d0:58:f6:31:4a:b1:a4:a6:dd:6f:d9:e8:44:
3c:b6:0a:71:d6:7f:b1:08:61:9d:60:ce:75:cf:77:0c:d2:37:
86:02:8d:5e:5d:f9:0f:71:b4:16:a8:c1:3d:23:1c:f1:11:b3:
56:6e:ca:d0:8d:34:94:e6:87:2a:99:f2:ae:ae:cc:c2:e8:86:
de:08:a8:7f:c5:05:fa:6f:81:a7:82:e6:d0:53:9d:34:f4:ac:
3e:40:fe:89:57:7a:29:a4:91:7e:0b:c6:51:31:e5:10:2f:a4:
60:76:cd:95:51:1a:be:8b:a1:b0:fd:ad:52:bd:d7:1b:87:60:
d2:31:c7:17:c4:18:4f:2d:08:25:a3:a7:4f:b7:92:ca:e2:f5:
25:f1:54:75:81:9d:b3:3d:61:a2:f7:da:ed:e1:c6:6f:2c:60:
1f:d8:6f:c5:92:05:ab:c9:09:62:49:a9:14:ad:55:11:cc:d6:
4a:19:94:99:97:37:1d:81:5f:8b:cf:a3:a8:96:44:51:08:3d:
0b:05:65:12:eb:b6:70:80:88:48:72:4f:c6:c2:da:cf:cd:8e:
5b:ba:97:2f:60:b4:96:56:49:5e:3a:43:76:63:04:be:2a:f6:
c1:ca:a9:94

The correct values are:

(('DNS', 'altnull.python.org\x00example.com'),
('email', 'null@python.org\x00user@example.org'),
('URI', 'http://null.python.org\\x00http://example.org'),
('IP Address', '192.0.2.1'),
('IP Address', '2001:DB8:0:0:0:0:0:1\n'))

[vstinner]

Does it really make sense to allow to open a certificate containing a NUL byte in its name? How does OpenSSL and other projects handle this case?

[tiran]

OpenSSL's print() functions fail to handle the NULL byte in subjectAltName (SAN) general names as they use strlen() or printf() functions with "%s" format char. The subject and issuer elements with NULL bytes are handled correctly by OpenSSL.

wget and curl combine CN / SAN parsing and hostname matching in one function. Both report an error when they see a NULL byte in a dNSName (strlen(dNSName) != lengtt of ASN1_STRING).

Python has separate functions for retrieving the X.509 information and matching a hostname against CN / SAN. I like to keep it that way and just for our parsing code in this bug. Latter ssl.match_hostname() can check for NULL bytes and raise an exception, but that's a different issue.

[abn]

This issue has been assigned CVE-2013-4238 [1].

Please use CVE-2013-4238 for this issue in Python for patches and references.

[1] http://www.openwall.com/lists/oss-security/2013/08/13/2

[tiran]

Thanks! The title now references the new CVE #.

[tiran]

Python 3.1 is affected, too. 3.1 will recieve security fixes until June 2014.

[tiran]

Brian Cameron from Oracle has requested a fix for Python 2.6. I have attached a patch for 2.6. In order to compile and test the patch I had to modify _ssl.c to handle OPENSSL_NO_SSL2. I also copied keycert.pem from 2.7 to fix two test failures. The former keycert.pem has expired.

It's a bit of a challenge to compile Python 2.6 on modern Linux OS. I had to set a couple of flags and overwrite MACHDEP:

export arch=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
export LDFLAGS="-L/usr/lib/$arch -L/lib/$arch"
export CFLAGS="-I/usr/include/$arch"
export CPPFLAGS="-I/usr/include/$arch"
./configure --config-cache --with-pydebug
make -j4 MACHDEP=linux2

[tiran]

For the record PHP has assigned CVE-2013-4248 for the issue.

[python-dev]

New changeset c9f073e593b0 by Christian Heimes in branch '3.3':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/c9f073e593b0

New changeset 7a0f398d1a5c by Christian Heimes in branch 'default':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/7a0f398d1a5c

New changeset bd2360476bdb by Christian Heimes in branch '2.7':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/bd2360476bdb

[tiran]

I have applied the patch to 2.7, 3.3 and 3.4.

Barry, Benjamin, Georg:
Are you going to apply the patches yourselves?

[python-dev]

New changeset 79007c4244d6 by Barry Warsaw in branch '2.6':

• Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
  http://hg.python.org/cpython/rev/79007c4244d6