CVE-2012-0741

Step 1: Setup MITM: The attacker sets up a malicious proxy server, configured to intercept traffic intended for the target application being tested by AppScan Enterprise or Rational Policy Tester. This proxy acts as a man-in-the-middle.

Step 2: Certificate Forgery: The attacker generates a forged X.509 certificate, potentially mimicking the target server's certificate or using a self-signed certificate. This certificate is presented to the client (AppScan or Policy Tester) during the SSL/TLS handshake.

Step 3: Proxy Configuration: The victim (security tester) configures AppScan Enterprise or Rational Policy Tester to use the attacker's proxy server for manual exploration.

Step 4: Traffic Interception: The victim's application traffic is routed through the malicious proxy. Because of the missing certificate validation, the client accepts the attacker's forged certificate without warning.

Step 5: Data Interception and Manipulation: The attacker can now decrypt and inspect the victim's encrypted traffic, potentially stealing sensitive data or modifying requests/responses before they reach the target server. This could include injecting malicious payloads or altering application behavior during security testing.

The vulnerability stems from a failure to properly validate X.509 certificates presented by SSL/TLS servers when the Manual Explore Proxy feature is enabled. Specifically, the software does not verify the certificate's authenticity, issuer, or revocation status. This lack of validation allows an attacker to present a forged certificate, establishing a fraudulent SSL/TLS connection. The root cause is likely a missing or disabled certificate verification function within the proxy's SSL/TLS handling code. The software trusts any certificate presented, regardless of its validity, allowing the attacker to decrypt and potentially modify the traffic passing through the proxy.