bitwarden

2 Articles

This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

June 16, 2023 by 3 Comments

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

An Easy-To-Make Pi-Powered Pocket Password Pal

October 31, 2022 by 16 Comments

Sometimes, we see a project where it’s clear – its creator seriously wants to make a project idea accessible to newcomers; and today’s project is one of these cases. The BYOPM – Bring Your Own Password Manager, a project by [novamostra] – is a Pi Zero-powered device to carry your passwords around in. This project takes the now well-explored USB gadget feature of the Pi Zero, integrates it into a Bitwarden-backed password management toolkit to make a local-network-connected password storage, and makes a tutorial simple enough that anybody can follow it to build their own.

For the physical part, assembly instructions are short and sweet – you only need to solder a single button to fulfill the hardware requirements, and there’s a thin 3D-printable case if you’d like to make the Pi Zero way more pocket-friendly, too! For the software part, the instructions walk you step-by-step through setting up an SD card with a Raspbian image, then installing all the tools and configuring a system with networking exposed over the USB gadget interface. From there, you set up a Bitwarden instance, and optionally learn to connect it to the corresponding browser extensions. Since the device’s goal is password management and storage, it also reminds you to do backups, pointing out specifically the files you’ll want to keep track of.

Overall, such a device helps you carry your passwords with you wherever you need them, you can build this even if your Raspberry Pi skills are minimal so far, and it’s guaranteed to provide you with a feeling that only a self-built pocket gadget with a clear purpose can give you! Looking for something less reliant on networking and more down-to-commandline? Here’s a buttons-and-screen-enabled Pi Zero gadget that uses pass.