Patching Firefox SSL annoyances

A quick and cute application of binary patching.

Today I was discussing with @s3cur1ty_de how annoying Firefox certificate validation sometimes was. For example, during a web application pentest, where you normally have an intercepting proxy which breaks the SSL connection. We experience sometimes problems due to the proxy certificate not being issued by a recognized CA. Very annoying stuff…

So I joked about the possibility of attacking the root of the problem and do some binary patching in order to completely remove the certificate check. It turned out to be not such a bad idea after all…

As with many problems, the solution is rather easy once you know where to look. In this case we have the fantastic MDN (Mozilla Developer Network) with tons of resources, code, *debugging symbols*, etc.
Searching around I found this:

Long story short, this is the function called when the browser finds a certificate within a SSL connection and proceeds to verify its validity. If everything is cool it returns SECSuccess (0x00).

Nice. But where is this function in my binary, once it’s compiled? Well, ssl3.dll looked like a good candidate and there she was, beautiful and compiled.

As you can see this is kind of a wrapper and the functions performing the actual checks are of the type CERT_Verify* (more in a moment).

I used an Ubuntu machine with Apache from my lab for the test. The certificate was of course self-signed.

As you can see Firefox doesn’t recognize the issuing CA and I get the well know “internet police” message.

Well, this screenshot is in german but you recognize the “connection not trusted” message. This was expected, wasn’t it?

Now let’s check the ssl3.dll inside Immunity Debugger. You can see two calls to these CERT_Verify* functions. Their return values control the program’s flux.

I’ll patch both calls so they just return the correct value (zero). To this mean, a simple xor eax, eax will do. You can see the function patched here:

Now what’s left is to save our modified binary and replace ssl3.dll inside “C:Program FilesMozilla Firefox” with it.

Restart Firefox so it loads the new DLL and visit the same page.

Will it work? (drums…)

As Mati Aharoni would say “…and look at that!”. The browser opens the page directly without complaining about the certificate. If we check the connection properties we find that everything is cool because (Firefox says) the certificate has been issued by a recognized CA, “Ensei Sec Research” :P

Cute, isn’t it?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s