Bugtraq: Re: **maillist:: Outlook S/MIME Vulnerability

[Timothy J.Miller <cerebus () sackheads org>]

On Tuesday, September 3, 2002, at 09:06 AM, Thomas Seliger wrote:

> Since the failure of checking certificate chain correctly seems to be 
> buried deeper in windows (maybe in some DLL? some info from microsoft 
> would be greatly appreciated, but their security offensive seems to be 
> hot air anyway), i could imagine more possibilities to exploit it:
Anything crypto-related is supposed to be handled by CAPI (Crypto API), 
so I had assumed from the beginning that the failure to check basic 
constraints was deeper than IE.
However, attacking IPsec in this manner would not (quite) work.  
Certificates used for authentication of IPsec security associations 
*must* chain back to the *same* trusted root CA on both sides.  So if 
I'm expecting a certificate chaining from CA#1 and you give be a 
certificate chaining from CA#2-- even if CA#2 is in the Trusted Root 
store-- the security association will fail and IPsec won't come up.
However, if I already have a certificate from CA#1, I *could* use it to 
sign a "false" IPsec certificate that would chain back to CA#1 
(violating basic constraints).  This is probably not a useful attack 
since I could just use the issued certificate, as the IPsec 
implementation doesn't really care about the key usages anyway (at 
least, in Win2K SP0 it didn't)-- IOW, signing the false certificate is 
(may be) an unnecessary extra step.
-- Cerebus