Upload of forged file with name "trusted-ca-certificates.crt" can lead to misconfiguration in SSL Inspection

Tell everybody, what you think about SafeSquid!
Speak your mind!
India aashish97
Posts: 117
Joined: Sat Jul 06, 2019 10:45 am

Upload of forged file with name "trusted-ca-certificates.crt" can lead to misconfiguration in SSL Inspection

Post by aashish97 » Mon Feb 24, 2020 11:07 am

Hello All,

While I was Testing the Upload Section
[ Please Find the below Link: viewtopic.php?f=61&t=160 ]

I found out that major Upload Section in SafeSquid accepts the file, check for some validation and if validation fails rather than discarding the file it is actually saved in Partition: /tmp/safesquid/

So i came accross a problem that can create problem in SSL Section.
The Upload SSL Certs Section allows user to UPLOAD their own ROOT CA Certificate & Key so that it can be used by SafeSquid for SSL Inspection and it also allows user to Upload their Trusted Bundle
[Note: Cases where the Upstream Web Server/Proxy server uses a Custom Authority and SafeSquid should be able to validate it's TRUST, the CA Bundle for Verification should be included in SafeSquid]

Root Cause Analysis
-------------------------------

When the user uploads a normal file [Which is not a certificate file, for example a Excel Sheet with name as "file1.xlsx"]
  • Client-Side Validation: NOT DONE
  • Server-Side Validation: Validation is done on the basis of the file Extension[Which will result in problem].
Upload Section will return a Error as "Failed to upload, please upload a valid file"
image.png
image.png (74.6 KiB) Viewed 1038 times
but if the same file is Upload by changing the file extension then it will result in "Successful Upload of File"
image.png
image.png (46.58 KiB) Viewed 1038 times
The below logs explain that the file was renamed to ".crt" but was actually a Excel Sheet
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020 02 27 17:47:42.740 [15666] debug: request: Post_t::Post_t:130 filename[file1.crt] name[ssl_certificate] Content-Disposition[form-data] content-transfer-encoding[] Content-Type[application/x-x509-ca-cert]
2020 02 27 17:47:42.741 [15666] debug: request: get_content_mime:77: magic: [application/vnd.openxmlformats-officedocument.spreadsheetml.sheet]
2020 02 27 17:47:42.741 [15666] debug: interface: upload:716 SSL certificate: /usr/local/safesquid/security/ssl/trusted/file1.crt
2020 02 27 17:47:42.741 [15666] debug: network: writing 8714 bytes to /usr/local/safesquid/security/ssl/trusted/file1.crt file
2020 02 27 17:47:42.741 [15666] debug: ssl: setup_store:781 reading trusted CA /usr/local/safesquid/security/ssl/trusted/
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now comes the Real Trouble:

If we rename the file to "trusted-ca-certificates.crt" it will actually replace the file in ssl directory which will result in BREAKING THE SSL FEATURE, resulting in SSL Inspection NOT WORKING

All Logs are attached in one single file