If the title makes someone a slight feeling of déjà vu, it is not surprising. In March 2016 the Israeli company StartCom, which owns StartSSL service and project StartEncrypt for issuance of free SSL-certificates to everyone, has suffered from a similar problem. Now the situation repeats itself: the experts of the Danish company CompuTest reported that StartEncrypt contains several vulnerabilities, by exploiting which attackers can obtain a certificate for any domain.
StartEncrypt Initiative was launched in early June of this year, developers are inspired by colleagues who created Let’s Encrypt. The project gave everyone an opportunity to get a free SSL-certificate for use, which only need to download and install their own Linux-client company. Client performed the domain validation process: data is transmitted to StartSSL, and then creates a certificate for the domain that runs on checked server.
It would seem that the system thought out well, but CompuTest experts argue that the validation process is not safe. Attackers can obtain certificates for foreign domains, including domains of large companies such as Facebook, Google, Dropbox and so on. Then, these certificates can be resold on the black market or used for man-in-the-middle attacks.
The first problem is that StartEncrypt client allows the user to manually change the configuration and specify the directory from which the server is loading the signature. Attackers can cheat the system, replacing the signature on the signature of another domain. Hackers can attack in such a way any site that allows users to upload content: GitHub, Dropbox and so on.
The second problem is even more serious, because it can help hackers obtain a certificate for virtually any domain. When the API makes the verification, it works with the parameter «verifyRes», i.e. perceives redirects. If the URL parameter is provided with «verifyRes» and leads to a different URL, the API follow this link, until he gets what he seeks. This means that the client is open to Open Redirect vulnerabilities. Attackers can forge the request and make a validation procedure for each server in general.
The researchers write that this gap is not so easy to exploit. Domain URL that uses the attacker must meet one of the conditions. The link must be present the ability to upload files and to download them. Either we will need vulnerability in Open Redirect. However, the second condition is easier to observe: in fact, all sites with support for OAuth 2.0 must maintain open redirects for normal function of protocol. Using this feature of OAuth 2.0 and StartEncrypt client, attackers can trick the service StartSSL, forcing him to issue a certificate free of charge for any site that supports OAuth 2.0.
Besides the two above-mentioned problems, experts have also found a number of bugs in smaller caliber. The researchers concluded that StartEncrypt client does not even check your own server certificate, when connected to the API. API also does not hold a content type check for files that will download during verification. This allows attackers to get a certificate on behalf of any site that allows users to upload avatars. Besides that, the private key for the certificate is stored with 0666 permissions in the public folder, where it can reach by anyone. StartEncrypt developers, moreover, does not take into account the experience of colleagues from Let’s Encrypt, so that the service is vulnerable to the Duplicate-Signature Key Selection attacks.
StartCom company has introduced a new version of Linux-client StartEncrypt, where described problems have been eliminated. The version number has remained the same: 126.96.36.199. CompuTest Experts emphasize that this is not all the bugs have been found by them, – the company is still working on fixing other vulnerabilities, which will close in the next updates.