Can attackers steal SSL certificate from server and use it for MITM attacks?
It is not the certificate which matters, but the private key. That one does not leave the server. To impersonate the server, the man in the middle would need to obtain that private key. The certificate itself is public data, and sent by the server to every client who asks for it by simply connecting.
(A Man in the Middle attack is a double impersonation: the attacker poses as the server when talking to the client, as the client when talking to the server. In simple SSL, with no certificate-based client authentication, the client is nominally anonymous, so mounting a successful MitM reduces to running a fake server which the clients accept as genuine. Fat luck with that, if you don't have the server's private key.)
Actually, depending on how your client implements SSL/TLS and PKI, it might be possible for an attacker to pull off something vaguely similar: For instance, read this page on how eavesdropping on secure connections might be technically possible, if sufficient attention isn't paid to the PKI part of SSL/TLS.
For short: The attacker would generate a root certificate, somehow get your client application to trust it (which is the critical part), and then act as a man-in-the-middle that generates server certificates on the fly, when your client connects to a (the) server.
Edit: Bundling the certificates the software is meant to trust with the application, rather than pulling them from a store the man-in-the-middle might compromise, is in principle sufficient to thwart this vulnerability.
Bundling certs, installing embedded certs, implementations DO NOT MATTER period. If you think this is the case, you're missing the underlying handling of certificates.
When a connection is made via the PKI infrastructure it usually works as follows:
Client (with cert) --> before connection is made, let me consult CA --> Internet
Client (with cert) --> Hey CA is this cert being used valid --> Internet CA
CA --> checks cert information
CA --> Valid cert? --> Yes --> This is a valid cert --> Client
CA --> Valid cert? --> No --> This is NOT A VALID cert --> Client
What occurs with attackers is a) they can replace YOUR valid cert with a STOLEN - SIGNED CERT and the above occurs:
Client (with signed STOLEN cert) --> Let me consult CA --> Internet
Client (with signed STOLEN cert) --> Hey CA is this cert valid?
CA --> checks cert information
(cert was not revoked)
CA --> Yes --> This is a valid cert --> Client
From what I am reading, it if the impression that when a connection is made ONLY the SPECIFIED certificate WILL BE USED and an attacker cannot outright replace that cert. It will take an enormous amount programming to pull that off. In fact, a software vendor would have to program N amount of iterations for each client to pull that off. Otherwise, a cert is a cert is a cert...