STE WILLIAMS

Researchers based in Germany have discovered how to spoof certificates they don’t own – even if the certs are protected by the PKI-based domain validation.

Though the group withheld the names of certificate authorities whose certs could be spoofed, Dr Haya Shulman, of the Fraunhofer Institute for Secure Information Technology, told The Register a “weak off-path attacker” can – using nothing more than a laptop – steal credentials, eavesdrop, or distribute malware using the method.

All the while, Dr Shulman told us, the user would think their connections were secure because that’s what their browser would report.

In a paper seen by The Register, to be presented at the ACM’s Conference on Computer and Communications Security (Toronto in October), Dr Shulman’s team wrote:

“The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker’s public key to a victim domain.”

The group has asked The Register not to republish the paper because it names affected Certificate Authorities.

We have however, seen a demo of a live attack by Fraunhofer’s team.

“The attack is initiated with a DNS request,” the paper explained. “To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives.”

By successfully mapping their spoofed DNS record to hosts controlled by the attacker, domain validation checks run by the CA are performed not by the record owner, but against the attacker’s hosts.

The attack depends on getting DNS responses broken into fragments, achieved by sending the nameserver an “ICMP fragment needed” packet. This tricks the server into thinking the victim’s system is configured to only process small packets.

The second trick is on the victim: in processing the first fragment, the victim’s machine has completed the DNS challenge-response fields (as the paper stated, these are “echoed by the nameserver in the first fragment”).

In other words, Fragment A contains the validation the victim expects for a domain, but then the attacker injects Fragment B with spoofed information that the victim accepts.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim’s nameserver to calculate “the offset where the fragmentation should occur”.

The research team proposed a domain validation protocol they dubbed “DV++” to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

“To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain.”

Dr Shulman’s collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/boffins_break_cas_domain_validation/