I think the title buries the most horrifying part of this. The HiCA certificate authority is relying on an RCE to do an end-run around the semantics of the ACME HTTP-01 validation method.
Fucked up and they should be booted from every root program for this.
Major props and thanks to the HiCA person for engaging on the thread even though they were getting hammered. Yes they made some really (damn clever but) bad implementation decisions to use an RCE in the client to basically hack around the entire system, and then compounded it with other bad decisions to redirect to the US White House website to stop a DDoS, but the fact that they engaged, admitted, and explained what was going on I thought was really big of them.
Everybody makes mistakes people. If this person was trying to be malicious they would have disappeared, not come straight clean about it on the thread.
Looks like they are issuing under a sub-CA of "ssl.com" according to https://github.com/acmesh-official/acme.sh/issues/4659#issue...
Interestingly, the mozilla dev-security-policy group seems to contain a recent discussion about including "ssl.com" in the root store here https://groups.google.com/a/mozilla.org/g/dev-security-polic...
Curious to know if this could, maybe it should, have ripple effects to the various SSL Root CA programs. Having someone run a subCA that actually exploits an RCE against ACME clients doesn't seem very trustworthy, and any CA enabling this behaviour should probably be kicked out of the trust stores?
These sorts of hacks remind me of when AOL's AIM server was exploiting bugs in their own client to run verification code[0]. Hardly an acceptable practice in 2023, though.
[0] https://www.geoffchappell.com/notes/security/aim/index.htm
This raise one more issue about Chinese providers.
The site using this exploit, HiCA is run by xiaohuilam on Github. He/She is also the founder of two famous SSL certificate provider in China, DigitalSign and QuantumCA. Additionally, he is also a contributor of acme.sh repository. The acme.sh repository locked issue #4659 quickly after it raise attentions in the developer community in China.
It's hard to imagine that, as one of the repository's contributor, once you have found a vulnerability, you are going to use it in your own product, instead of fix it. They are just another version of Pinduoduo (owner of Temu, and also the one who put spyware on user's android phone).
This means that acme.sh has an RCE. Once the patch is in I'm rotating all my certs, even though I use ZeroSSL.
I do wonder if what HiCA did gave possibilities to post the private key somewhere else?
<quote> ... HiCA is injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine. </quote>
Even if this is just RCE in the script somehow (I doubt it, it can probably do anything the user running it can), it's horrifying. It means the certificate authority could just take your newly generated certificates and upload them anywhere they want. That's a catastrophic compromise in the TLS security model.
[dead]
Is this part of Plan 9?
Sounds about par for the course for folks that think shell is a productively sustainable way of writing secure or reliable software. Not even remotely sorry about that opinion. The gall to claim ACME compat, then force require a single client, all so you can remote execute arbitrary commands. Should be enough to ruin the CA, but we know how people handle things like this "oh, won't affect me" (until it does). Seemingly just so they can avoid some reverse proxy rules to host the challenge endpoints at the right place? Holy wow. Oh there we go baby, eval'ing with arbitrary input in the shell script, complete with lazy inproper string quoting. I should probably just stop before I say more unkind things.
Was it even run through shellcheck?!
Stop writing this stuff in shell people. 95% of the time I review any (posix, nushell lacks most of these issues) shell scripts, it's obvious they would fall apart the second any string unexpectedly had a space in it. Even scripts written by darling companies of HN.