Upload of forged file with name "trusted-ca-certificates.crt" can lead to misconfiguration in SSL Inspection
Posted: Mon Feb 24, 2020 11:07 am
Hello All,
While I was Testing the Upload Section
[ Please Find the below Link: viewtopic.php?f=61&t=160 ]
I found out that major Upload Section in SafeSquid accepts the file, check for some validation and if validation fails rather than discarding the file it is actually saved in Partition: /tmp/safesquid/
So i came accross a problem that can create problem in SSL Section.
The Upload SSL Certs Section allows user to UPLOAD their own ROOT CA Certificate & Key so that it can be used by SafeSquid for SSL Inspection and it also allows user to Upload their Trusted Bundle
[Note: Cases where the Upstream Web Server/Proxy server uses a Custom Authority and SafeSquid should be able to validate it's TRUST, the CA Bundle for Verification should be included in SafeSquid]
Root Cause Analysis
-------------------------------
When the user uploads a normal file [Which is not a certificate file, for example a Excel Sheet with name as "file1.xlsx"]
but if the same file is Upload by changing the file extension then it will result in "Successful Upload of File"
The below logs explain that the file was renamed to ".crt" but was actually a Excel Sheet
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020 02 27 17:47:42.740 [15666] debug: request: Post_t::Post_t:130 filename[file1.crt] name[ssl_certificate] Content-Disposition[form-data] content-transfer-encoding[] Content-Type[application/x-x509-ca-cert]
2020 02 27 17:47:42.741 [15666] debug: request: get_content_mime:77: magic: [application/vnd.openxmlformats-officedocument.spreadsheetml.sheet]
2020 02 27 17:47:42.741 [15666] debug: interface: upload:716 SSL certificate: /usr/local/safesquid/security/ssl/trusted/file1.crt
2020 02 27 17:47:42.741 [15666] debug: network: writing 8714 bytes to /usr/local/safesquid/security/ssl/trusted/file1.crt file
2020 02 27 17:47:42.741 [15666] debug: ssl: setup_store:781 reading trusted CA /usr/local/safesquid/security/ssl/trusted/
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now comes the Real Trouble:
If we rename the file to "trusted-ca-certificates.crt" it will actually replace the file in ssl directory which will result in BREAKING THE SSL FEATURE, resulting in SSL Inspection NOT WORKING
All Logs are attached in one single file
While I was Testing the Upload Section
[ Please Find the below Link: viewtopic.php?f=61&t=160 ]
I found out that major Upload Section in SafeSquid accepts the file, check for some validation and if validation fails rather than discarding the file it is actually saved in Partition: /tmp/safesquid/
So i came accross a problem that can create problem in SSL Section.
The Upload SSL Certs Section allows user to UPLOAD their own ROOT CA Certificate & Key so that it can be used by SafeSquid for SSL Inspection and it also allows user to Upload their Trusted Bundle
[Note: Cases where the Upstream Web Server/Proxy server uses a Custom Authority and SafeSquid should be able to validate it's TRUST, the CA Bundle for Verification should be included in SafeSquid]
Root Cause Analysis
-------------------------------
When the user uploads a normal file [Which is not a certificate file, for example a Excel Sheet with name as "file1.xlsx"]
- Client-Side Validation: NOT DONE
- Server-Side Validation: Validation is done on the basis of the file Extension[Which will result in problem].
- image.png (74.6 KiB) Viewed 1041 times
- image.png (46.58 KiB) Viewed 1041 times
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020 02 27 17:47:42.740 [15666] debug: request: Post_t::Post_t:130 filename[file1.crt] name[ssl_certificate] Content-Disposition[form-data] content-transfer-encoding[] Content-Type[application/x-x509-ca-cert]
2020 02 27 17:47:42.741 [15666] debug: request: get_content_mime:77: magic: [application/vnd.openxmlformats-officedocument.spreadsheetml.sheet]
2020 02 27 17:47:42.741 [15666] debug: interface: upload:716 SSL certificate: /usr/local/safesquid/security/ssl/trusted/file1.crt
2020 02 27 17:47:42.741 [15666] debug: network: writing 8714 bytes to /usr/local/safesquid/security/ssl/trusted/file1.crt file
2020 02 27 17:47:42.741 [15666] debug: ssl: setup_store:781 reading trusted CA /usr/local/safesquid/security/ssl/trusted/
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now comes the Real Trouble:
If we rename the file to "trusted-ca-certificates.crt" it will actually replace the file in ssl directory which will result in BREAKING THE SSL FEATURE, resulting in SSL Inspection NOT WORKING
All Logs are attached in one single file
improper_upload_validation_upload_ssl_certificate.txt- (16.9 KiB) Downloaded 63 times