A quick and cute application of binary patching.
Today I was discussing with @s3cur1ty_de how annoying Firefox certificate validation sometimes was. For example, during a web application pentest, where you normally have an intercepting proxy which breaks the SSL connection. We experience sometimes problems due to the proxy certificate not being issued by a recognized CA. Very annoying stuff…
So I joked about the possibility of attacking the root of the problem and do some binary patching in order to completely remove the certificate check. It turned out to be not such a bad idea after all…
As with many problems, the solution is rather easy once you know where to look. In this case we have the fantastic MDN (Mozilla Developer Network) with tons of resources, code, *debugging symbols*, etc.
Searching around I found this:
Long story short, this is the function called when the browser finds a certificate within a SSL connection and proceeds to verify its validity. If everything is cool it returns SECSuccess (0x00).
Nice. But where is this function in my binary, once it’s compiled? Well, ssl3.dll looked like a good candidate and there she was, beautiful and compiled.
I used an Ubuntu machine with Apache from my lab for the test. The certificate was of course self-signed.
Well, this screenshot is in german but you recognize the “connection not trusted” message. This was expected, wasn’t it?
Now let’s check the ssl3.dll inside Immunity Debugger. You can see two calls to these CERT_Verify* functions. Their return values control the program’s flux.
Restart Firefox so it loads the new DLL and visit the same page.
Will it work? (drums…)
As Mati Aharoni would say “…and look at that!”. The browser opens the page directly without complaining about the certificate. If we check the connection properties we find that everything is cool because (Firefox says) the certificate has been issued by a recognized CA, “Ensei Sec Research” :P
Cute, isn’t it?