Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability: SSL Verification Disabled Leading to Potential MITM Attacks #311

Open
itamarcps opened this issue Aug 7, 2024 · 0 comments
Open

Security Vulnerability: SSL Verification Disabled Leading to Potential MITM Attacks #311

itamarcps opened this issue Aug 7, 2024 · 0 comments

Comments

@itamarcps
Copy link

itamarcps commented Aug 7, 2024
edited
Loading

Description:

We have discovered a critical security vulnerability in the HTTP client implementation of this library. The issue lies in the SSL verification process, where SSL certificate verification is disabled, allowing for potential Man-in-the-Middle (MITM) attacks.

Affected Code:

The most critical part of the code is located in BoostHttpOnlySslClient.cpp at line 43:

https://github.com/reo7sp/tgbot-cpp/blob/master/src/net/BoostHttpOnlySslClient.cpp#L43

    socket.set_verify_mode(ssl::verify_none);
    socket.set_verify_callback(ssl::rfc2818_verification(url.host));

Issue:

The code sets the SSL verification mode to ssl::verify_none, effectively bypassing any SSL certificate verification.

Steps to Reproduce:

  1. Set Up an SSL Reverse Proxy:
  • Install Nginx:
sudo apt update
sudo apt install nginx
  • Create a self-signed SSL certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

server {
    listen 443 ssl;
    server_name myproxy.local;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    # Enable SSL protocols and ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass https://api.telegram.org;
        
        # Preserve Host Header
        proxy_set_header Host api.telegram.org;

        # Proxy headers
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # SSL settings for the upstream
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        
        # Increase proxy buffer size
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        
        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

server {
    listen 80;
    server_name myproxy.local;

    return 301 https://$host$request_uri;
}
  • Edit the hosts file to resolve myproxy.local to 127.0.0.1:
127.0.0.1    myproxy.local
  • Restart Nginx:
sudo systemctl restart nginx
  1. Replace the URL inside the tgbot-cpp from https://api.telegram.org to https://myproxy.local

Expected Behavior:

The HTTP client should verify the SSL certificate and fail the request if the certificate is invalid or not trusted. The client should not connect to the proxy when the SSL certificate verification fails.

Actual Behavior:

The HTTP client connects to the proxy server and accepts the invalid self-signed certificate, demonstrating that SSL certificate verification is not enforced, making it vulnerable to MITM attacks.

Suggested Fix:

To mitigate MITM vulnerabilities, enable SSL certificate verification in the HTTP client library. This can be easily achieved in a cross-platform manner by using the boost-certify library, which simplifies SSL certificate verification with Boost.Beast and Boost.Asio.

Reference:

https://github.com/djarek/certify
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@itamarcps