From owner-freebsd-security@freebsd.org Tue Aug 3 16:34:49 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6662D63BEB2 for ; Tue, 3 Aug 2021 16:34:49 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GfL7X5Svqz3Gyq for ; Tue, 3 Aug 2021 16:34:48 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-wr1-x42c.google.com with SMTP id c16so25957916wrp.13 for ; Tue, 03 Aug 2021 09:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:from:date:message-id:subject:to; bh=YX8xEy4Q5twW8LVHlW90/VGqZDGXhbBu/HQma7HxCPY=; b=EtW7qI/KIkmuIaCPuCKLr0V6fM2OXkg0gYPo9jXCJtmZ0T/dfnmW8tnhUkCelABbua DGOeTm9OVgcJ9/zdirJHXP0uCSTH3khcjdnP15ulrk+BpU3wUi0YNToj/J2WaBjVvAPv VPqytLaIblSgHhbtOUXrNz49fx6Lahuv9Z77eQQpgXnFxPXsbrbmc1ooceHaG7nN1pp8 O8EJdkDJlVm1HwQwLgDTmqYhkBuQx/fqFBgi5iJcoStMmB2K+JxmRfu3VYxlfr5uwh5K a6if8w2W44Bi0YvtXBeIrj+NVnnD3mjzflCD/ZoUO2ZgLkBwvljuMsg+IzBzFOgTDjBZ UzPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=YX8xEy4Q5twW8LVHlW90/VGqZDGXhbBu/HQma7HxCPY=; b=YuSQn3ZNzZFrp3UUDXq8gZDo/JqjEo8mvk1DdDxG1B3yhdq0gTrbHTHgG24+8TFZj/ UONP4D6gIVZhLJwLsWcTNAhOYEeRd+AQlhVSTyFcQi0IhHDQ/tGNfLB6kpPFLv03o5/c itVskHRRUxFW+rbLsKw967n8bX3Xd4TQD5V1Brm05cuYCOlFHjgeJ0jORAgeaswPBh2W 1gvD6CypBc54j2f8k/hedpKE0/rreO6zGr/vxn4R8EJ25TJCBT2zN9L7yC34XSXJxONx Ti04wDB5fiWDegaZJS/2N9ASm/iHaJYgSpphdDC6IYmf9mvRHGtU5XOmx9P9JSusNOm7 +rVA== X-Gm-Message-State: AOAM532UApaLuGXSsG8mrR4Xn/DET6xW/3vnlKsVp+oa+kyknk+amqer 1PvYKZPH4LIN2dsrgifHmswxrydjKn9i/PxcFTtdLQ== X-Google-Smtp-Source: ABdhPJy8gDU3qRxdYNKiJmlodTiR1Nx9cDbfGeuFM//oMqoQRZuGpMVASHgeBrR4LbyF2/yDL5y00qh4WioPLICwt0I= X-Received: by 2002:a5d:658a:: with SMTP id q10mr3148455wru.343.1628008482565; Tue, 03 Aug 2021 09:34:42 -0700 (PDT) MIME-Version: 1.0 From: Tomasz CEDRO Date: Tue, 3 Aug 2021 18:34:29 +0200 Message-ID: Subject: tpm / dislocker-fuse / bitleaker To: freebsd-ports , FreeBSD Questions Mailing List , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4GfL7X5Svqz3Gyq X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b="EtW7qI/K"; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2a00:1450:4864:20::42c) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [-1.32 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; NEURAL_SPAM_SHORT(0.98)[0.985]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::42c:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2021 16:34:49 -0000 Hello world :-) I just read interesting article on how to sniff SPI based TPM in order to extract BitLocker keys. If someone uses GlobalProtect VPN this gives access to the corporate network using on-disk certificates with no login. This trick seems to be more and more popular, so its worth checking if your company is vulnerable. https://pulsesecurity.co.nz/articles/TPM-sniffing https://translate.google.com/translate?sl=pl&tl=en&u=https://sekurak.pl/od-skradzionego-laptopa-do-firmowej-sieci/ There are two nice BitLocker utilities that would be nice to have on FreeBSD. Please consider adding if anyone has a free moment :-) dislocker-fuse: https://github.com/Aorimn/dislocker bitleaker: https://github.com/kkamagui/bitleaker Best regards :-) Tomek -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Sat Aug 7 15:06:53 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3A80566CB4A for ; Sat, 7 Aug 2021 15:06:53 +0000 (UTC) (envelope-from kmcmi046@uottawa.ca) Received: from mx98.uottawa.ca (mx98.uottawa.ca [137.122.9.241]) by mx1.freebsd.org (Postfix) with ESMTP id 4Ghm0D2cd8z3n3Z for ; Sat, 7 Aug 2021 15:06:52 +0000 (UTC) (envelope-from kmcmi046@uottawa.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-to1can01lp2051.outbound.protection.outlook.com [104.47.61.51]) by mx98.uottawa.ca (Postfix) with ESMTPS id B6B1820316 for ; Sat, 7 Aug 2021 11:06:46 -0400 (EDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jZi2oOfzYueyL5ziPRsBg+urtIhdcyPl+Ifp0vSmsITR3QyQPLKr/i2dDeJTQjuzTbcz63CPAvqxyNYgohdyu55vMTCcDG1XsV/jpRFviwstYnPFsHScji/s+rQeP0l4tQ55B+0sn1Y+t75yu810ooiWF2qZnYtjnSKDyp4s9ad1sqSR5WJZ/hQ2UHB9rVm0guDRm0rnzHD7tNEKO1ro4bj9CVlFGTgSczpCj4Bvn5ZsjSHeqeAQsmJbkPV3KjgdAyt3YN6NKVcjkbNP22SgyBQHyZ16nlPCnMxxAwScC3EdnjO82O8s+Hs4ysmk2wdLtekoFROMwmiDFe9kJzSirw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L6YMubLPksWUnl9yO6EkScM2aMR/xdbfK9QR5supi60=; b=G27VNHpMdS5P2VrpDti/Mk7EsWuSTQwYZkdy/q06v8UMY1nhbT6OYiHRdytqMvt3zUCiOlAkLIbQBLUpDgjyuOLWqq64JfOySoPJt1hgk3dse2GT3KTEuLmSn4FEVzHW7XyI+yuQp8FWyikLEg9irW8gQd1pEaqNYBkfUUZZK3crkaG9AbT+0RUkAfOccMAa/OpBZunZgt2iTWcSeqBnjAlLvti3ht6t7zCvKg1+NltvDL05qy5huH2r6MMFeNPEsuosGRMhFHS1eZt2Y8rmE05tKF2sj7Ln+iLFBH3M+PavwIKR0y7a9dOMFUEeXr+/pEKSWDPbrzFdOdNaylCNPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uottawa.ca; dmarc=pass action=none header.from=uottawa.ca; dkim=pass header.d=uottawa.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uottawa.onmicrosoft.com; s=selector2-uottawa-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L6YMubLPksWUnl9yO6EkScM2aMR/xdbfK9QR5supi60=; b=S/NT6uJCveNx2x3L+OdbvVu9xrgfgJgaYzZZ438vgywG1bWSNm/ibk/0+vez7ZFCcivAqozZrgrm3Q4+ZQmj+qOUVu0b+/yVvxbFYbqHDplI5ThsRV/JLgUuzGkQBZ5cs+UZhNP1zJRg/5gNREMr353ANQcM+T1+h1vaCjHQoPw= Received: from YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b00:10::29) by YTXPR0101MB1519.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b00:a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.19; Sat, 7 Aug 2021 15:06:45 +0000 Received: from YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM ([fe80::283e:e96c:e8ee:8048]) by YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM ([fe80::283e:e96c:e8ee:8048%6]) with mapi id 15.20.4394.021; Sat, 7 Aug 2021 15:06:45 +0000 From: Katherine Mcmillan To: "freebsd-security@freebsd.org" Subject: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thread-Topic: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thread-Index: AQHXi53WYlqHuDhB5E6AaNSnfh7+5g== Date: Sat, 7 Aug 2021 15:06:45 +0000 Message-ID: References: <20210807015102.ea4f5immh2l5ku4n@sym.noone.org> , In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fdfc9623-b34a-432a-de14-08d959b4f8fe x-ms-traffictypediagnostic: YTXPR0101MB1519: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:901; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: g/9dgJNsYuWw5iRqCPsz9UeyzLa0TDK9qxn8UeQvyuYrvMV5PNXhnWF7P9qmX9G5KyNU1LiLq/iviWdZIGwliFUwo8ii7Q1auw/lsd+4202AEerevpHXOEqNjG1BFgO+W4EA39Ic3/zebKeq5hnbdTR6y9tMWyfIfLXYuxeCq8wnuQfkubrP+1ceEzQ4GmhK8OYSzfqrkI8X58rcPSalZIMk6MrEtoav5i4fXmEzJPMomMCKljAdyJ2BlWOO7t560N64UJhdJ9NlwnYEyw0aoljHOQdA2xcsXgfWBiCf4CFIMZdTGdzUWdTZZfs023OZeHJokBo1EIok4olx6UZOaN3U1UrBjLm76JDjsX+xi/2X4mc3YnOhPYHfJFnBxMoWo3PtZXQePKvipQuWxSkwK6QYPHGh6WnMjKIS+w+knD7bFY7nIyltcka9URYf4qEUp3Y05Nhg387ur33IwEMrXr/w/vxw9AMOBp//bMSBSfmnG7V3rES4zskbqmsApX9OvborEMEDD4TxHbOnD7LiY9paiFii/rUScyYTLjW1nf35S3ggdPyI8Xmtp7wYIRTfh83Iq7VahyNwMaY+iEB+gtzdO3blbV/Dvfto62mrlw1RPvpvMNQWcNlgG+WUTmROxQYi5UjNmgtVKpQcGTWMlRftX+1Fz/vCYrsg6C9xFONIX1sBgHxQVkN0wwGwSb689mYt+93qXqxE8snjvEIbbFy1K3MDqa1iNyx38CYEwBjZEyDK7G6Y6qDS3ZOhGAA1E4RIWq7couTBepyk6mnAY4JBVQk9qivE6cl296YpPDE= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(366004)(136003)(376002)(346002)(6916009)(83380400001)(19627405001)(38100700002)(2906002)(64756008)(7696005)(66446008)(99936003)(66946007)(66556008)(166002)(122000001)(66576008)(66476007)(55016002)(86362001)(9686003)(76116006)(5660300002)(316002)(786003)(52536014)(71200400001)(53546011)(6506007)(8936002)(186003)(8676002)(40265005)(38070700005)(478600001)(33656002)(26005)(31884003); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?s2bVblVtQoUqoE9fSCXh35fq1JNhLjKFxMI8++nc8Rc58AhBuB0t56st?= =?Windows-1252?Q?KSG/iAjbqru8tIZrgkopuviuTAZCe4oCjKfgxcvpLhXOYu/BFtZZin7w?= =?Windows-1252?Q?D8zTt/9yTLynpUrZKYCWJd5v62WhdoK5XPrE2FjvxMzL5oqtdst6XLCf?= =?Windows-1252?Q?8wtU53ovdjPjWVAcBBx+iYwAgFbz5UX32YBrJbPcpbUJuUIgaBlpmjhb?= =?Windows-1252?Q?/tck5JgZBBsSqLJ0yz5010agRJgKvv+I2cdd5QA58vraq2FiNeVeK9Sg?= =?Windows-1252?Q?GvJu0sMCzySX6WB9A7PRjtX2OZkTc1FNYIaQ+2C0AaVN//uH2BSoAsiC?= =?Windows-1252?Q?vblz6n635sqY83w18bjqlMQDYZIYFqdQcgEBEGH4ORRBHbPo3VXAQYBI?= =?Windows-1252?Q?Tf5Ged3PRRPx6qCd2LVTkBrUHnvdcL/XBP3jIgs6IbS4GOAJGdFqZbJB?= =?Windows-1252?Q?0DZQzvQPzqp0xsDCmFRdWVfCDoIx0bfUsOomqAdxU13EMNFR6hvGfSBi?= =?Windows-1252?Q?HUHuaheDQxMn9UQADwpryu47RW/4PRiqGbi4iwFbMTKYQDeffiUjbA62?= =?Windows-1252?Q?LrYsplL1YM8OmiIGeriRG4QdDU1SNEvREyJRYfDEIUIamq385wySfN/7?= =?Windows-1252?Q?j30SJfcuNV6bPJ9vwXIRWTUUy1phaC8m4oLKgONII8eln0IIx9DquIsx?= =?Windows-1252?Q?RJJDcUO66xdiCU5l/yhkh4jDosLh4NlxgHkbJGp8GxvQVbnKffv097WA?= =?Windows-1252?Q?ZHh/zsD6pIdg8LgctW+kM9tw3PijTnhCJ6SgzkmZq4TFFCIM/y7IWeY1?= =?Windows-1252?Q?HD/Uu/SX2dEICW+ARmg6HVbjIbu8lnD70Sz/p3Jr4jdoFbnMYdql/4f/?= =?Windows-1252?Q?HgrEOxQ7FlWrHjQpbnf93PJTrPQ3h7qrVmZoPOfnOL1DkGnI6k2T/kYW?= =?Windows-1252?Q?5+Tx1aSZTli/gkcpdcrH7iM7OOWGf6IGSigITVMuUvk2M4BAikYl3xwS?= =?Windows-1252?Q?H5LhfUFdzCZNNq5ZrHyTuQQo+bObupcfSPU81jJXF8DrAMvgyT/sEXmm?= =?Windows-1252?Q?GGv9pQDhTtfChznHb99VlBAQlCdlk1A3P741fFcZYcyqgpywfGZNP/eV?= =?Windows-1252?Q?vlzB2se2wtbbCEMiWYsNYwowzQzEqKkEbGrHRGv/40KKHoP2z5zXNVQ3?= =?Windows-1252?Q?LyuFs/i2D+gCOg4gS5hodDgsVoKLS3x+g7QIYtjtsLtHEFeOQ2yyY+O2?= =?Windows-1252?Q?MEjw3WkLL5cYx4G6xK8aUmHcFg093DtHHVNExfgrVsqATtUwJu+0RBwo?= =?Windows-1252?Q?OdYaR/6QpJtKt1hToADW3AJfbBORT24/Eb8VFbH9pKBBtDlXzlbEyCXJ?= =?Windows-1252?Q?dk8I5Q8eA4DLaKl9IAHFK005tt/cyJGzPVA=3D?= x-ms-exchange-transport-forked: True Content-Type: multipart/mixed; boundary="_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_" MIME-Version: 1.0 X-OriginatorOrg: uottawa.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: fdfc9623-b34a-432a-de14-08d959b4f8fe X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2021 15:06:45.4854 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d41fdab1-7e15-4cfd-b5fa-7200e54deb6b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: rXTJTywlUv8PpYwFaClXSnooSajqKPNyrbaC5W7YN1wz3frgwqi762lrKy3qhVX+aA6EDCePPYEHC+WsWk94Wg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTXPR0101MB1519 X-Rspamd-Queue-Id: 4Ghm0D2cd8z3n3Z X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uottawa.onmicrosoft.com header.s=selector2-uottawa-onmicrosoft-com header.b="S/NT6uJC"; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=none; spf=none (mx1.freebsd.org: domain of kmcmi046@uottawa.ca has no SPF policy when checking 137.122.9.241) smtp.mailfrom=kmcmi046@uottawa.ca X-Spamd-Result: default: False [-2.20 / 15.00]; HAS_ATTACHMENT(0.00)[]; MIME_BASE64_TEXT_BOGUS(1.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[uottawa.onmicrosoft.com:+]; MIME_BASE64_TEXT(0.10)[]; CTYPE_MIXED_BOGUS(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:+,5:+]; ASN(0.00)[asn:25826, ipnet:137.122.0.0/18, country:CA]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; RCVD_IN_DNSWL_LOW(-0.10)[104.47.61.51:received]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uottawa.onmicrosoft.com:s=selector2-uottawa-onmicrosoft-com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[uottawa.ca]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RBL_AMI_RCVD_FAIL(0.00)[2603:10b6:b00:10::29:server fail,104.47.61.51:server fail]; MAILMAN_DEST(0.00)[freebsd-security] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Aug 2021 15:06:53 -0000 --_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable FYI ________________________________ From: Lynx-dev on behal= f of Ariadne Conill Sent: 07 August 2021 10:17 To: oss-security@lists.openwall.com Cc: Axel Beckert ; lynx-dev@nongnu.org ; security@debian.org ; 991971@bugs.debian.org <99197= 1@bugs.debian.org> Subject: Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate val= idation -> leaks password in clear text via SNI (under some circumstances) Attention : courriel externe | external email Hi, On Sat, 7 Aug 2021, Thorsten Glaser wrote: > Axel Beckert dixit: > >> This is more severe than it initially looked like: Due to TLS Server >> Name Indication (SNI) the hostname as parsed by Lynx (i.e with >> "user:pass@" included) is sent in _clear_ text over the wire even > > I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT > BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS > BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT > AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT > NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS=85 It turns out SNI is only marginally related to this issue. The issue itself is far more severe: HTParse() does not understand the authn part of the URI at all. And so, when you call: HTParse("https://foo:bar@example.com", "", PARSE_HOST) It returns: foo:bar@example.com Which is then handed directly to SSL_set_tlsext_host_name() or gnutls_server_name_set(). But it will also leak in the Host: header on unencrypted connections, and also probably SSL ones too. As a workaround, I taught HTParse() how to parse the authn part of URIs, but Lynx itself needs to actually properly support the authn part really. I have attached the patch Alpine is using to work around this infoleak. Ariadne --_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_ Content-Type: text/plain; name="fix-auth-data-leaks.patch" Content-Description: fix-auth-data-leaks.patch Content-Disposition: attachment; filename="fix-auth-data-leaks.patch"; size=1480; creation-date="Sat, 07 Aug 2021 14:58:41 GMT"; modification-date="Sat, 07 Aug 2021 14:58:41 GMT" Content-ID: Content-Transfer-Encoding: base64 LS0tIGx5bngyLjguOXJlbC4xLm9yaWcvV1dXL0xpYnJhcnkvSW1wbGVtZW50YXRpb24vSFRQYXJz ZS5jDQorKysgbHlueDIuOC45cmVsLjEvV1dXL0xpYnJhcnkvSW1wbGVtZW50YXRpb24vSFRQYXJz ZS5jDQpAQCAtMzEsNiArMzEsNyBAQA0KIA0KIHN0cnVjdCBzdHJ1Y3RfcGFydHMgew0KICAgICBj aGFyICphY2Nlc3M7DQorICAgIGNoYXIgKmF1dGg7DQogICAgIGNoYXIgKmhvc3Q7DQogICAgIGNo YXIgKmFic29sdXRlOw0KICAgICBjaGFyICpyZWxhdGl2ZTsNCkBAIC0xMjEsNiArMTIyLDE4IEBA DQogICAgIH0NCiANCiAgICAgLyoNCisgICAgICogU2NhbiBsZWZ0LXRvLXJpZ2h0IGZvciBhbiBh dXRoZW50aWNhdGlvbiB1c2VybmFtZS9wYXNzd29yZCBjb21iaW5hdGlvbiAoYXV0aCkuDQorICAg ICAqLw0KKyAgICBmb3IgKHAgPSBhZnRlcl9hY2Nlc3M7ICpwOyBwKyspIHsNCisgICAgICAgaWYg KCpwID09ICdAJykgew0KKyAgICAgICAgICAgcGFydHMtPmF1dGggPSBhZnRlcl9hY2Nlc3M7DQor ICAgICAgICAgICAqcCA9ICdcMCc7DQorICAgICAgICAgICBhZnRlcl9hY2Nlc3MgPSAocCArIDEp OyAvKiBhZHZhbmNlIGJhc2UgcG9pbnRlciBmb3J3YXJkICovDQorICAgICAgICAgICBicmVhazsN CisgICAgICAgfQ0KKyAgICB9DQorDQorICAgIC8qDQogICAgICAqIFNjYW4gbGVmdC10by1yaWdo dCBmb3IgYSBmcmFnbWVudCAoYW5jaG9yKS4NCiAgICAgICovDQogICAgIGZvciAocCA9IGFmdGVy X2FjY2VzczsgKnA7IHArKykgew0KQEAgLTEzNSwxMCArMTQ4LDE0IEBADQogICAgICAqIFNjYW4g bGVmdC10by1yaWdodCBmb3IgYSBob3N0IG9yIGFic29sdXRlIHBhdGguDQogICAgICAqLw0KICAg ICBwID0gYWZ0ZXJfYWNjZXNzOw0KLSAgICBpZiAoKnAgPT0gJy8nKSB7DQotCWlmIChwWzFdID09 ICcvJykgew0KLQkgICAgcGFydHMtPmhvc3QgPSAocCArIDIpOwkvKiBob3N0IGhhcyBiZWVuIHNw ZWNpZmllZCAgICAqLw0KLQkgICAgKnAgPSAnXDAnOwkJLyogVGVybWluYXRlIGFjY2VzcyAgICAg ICAgICAgKi8NCisgICAgaWYgKCpwID09ICcvJyB8fCBwYXJ0cy0+YXV0aCkgew0KKwlpZiAocFsx XSA9PSAnLycgfHwgcGFydHMtPmF1dGgpIHsNCisgICAgICAgICAgICBpZiAoIXBhcnRzLT5hdXRo KSB7DQorCSAgICAgICAgIHBhcnRzLT5ob3N0ID0gKHAgKyAyKTsJLyogaG9zdCBoYXMgYmVlbiBz cGVjaWZpZWQgICAgKi8NCisJICAgICAgICAgKnAgPSAnXDAnOwkJLyogVGVybWluYXRlIGFjY2Vz cyAgICAgICAgICAgKi8NCisgICAgICAgICAgICB9IGVsc2Ugew0KKyAgICAgICAgICAgICAgICBw YXJ0cy0+aG9zdCA9IHA7DQorICAgICAgICAgICAgfQ0KIAkgICAgcCA9IFN0ckNocihwYXJ0cy0+ aG9zdCwgJy8nKTsJLyogbG9vayBmb3IgZW5kIG9mIGhvc3QgbmFtZSBpZiBhbnkgKi8NCiAJICAg IGlmIChwICE9IE5VTEwpIHsNCiAJCSpwID0gJ1wwJzsJLyogVGVybWluYXRlIGhvc3QgKi8NCg== --_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_ Content-Type: text/plain; name="ATT00001.txt" Content-Description: ATT00001.txt Content-Disposition: attachment; filename="ATT00001.txt"; size=141; creation-date="Sat, 07 Aug 2021 14:58:41 GMT"; modification-date="Sat, 07 Aug 2021 14:58:41 GMT" Content-ID: <116A56E9982C424386FF09982B278E63@CANPRD01.PROD.OUTLOOK.COM> Content-Transfer-Encoding: base64 X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTHlueC1kZXYg bWFpbGluZyBsaXN0Ckx5bngtZGV2QG5vbmdudS5vcmcKaHR0cHM6Ly9saXN0cy5ub25nbnUub3Jn L21haWxtYW4vbGlzdGluZm8vbHlueC1kZXYK --_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_--