Информационная безопасность
[RU] switch to English


Дополнительная информация

  Утечка парольной информации в Mozilla Firefox (information leak)

  Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:14 сентября 2005 г.
Subject:Mozilla / Mozilla Firefox authentication weakness

Dear bugTraq,

 I  have  reported  this issue some time ago:
 http://www.security.nnov.ru/Fnews19.html
 but  it looks like it was ignored, and not fixed in latest mozilla and
 firefox releases, so I decided to send "formal" advisory


Issue:              Mozilla browsers authentication weakness
Author:             3APA3A <[email protected]>
Advisory URL:       http://www.security.nnov.ru/Fnews19.html
Vendor:             Mozilla (http://www.mozilla.org)
Products:           Mozilla 1.7.11 (Windows version tested)
                   FireFox 1.0.6 (Windows version tested)
Type:               Man-in-the-Middle, information leak
Exploit:            Not required

I. Intro

RFC  2617  defines  Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.

II. Vulnerability

Firefox  and  Mozilla  browser  have  vulnerability  in  authentication
mechanism  implementation.  Potential  impact  of this vulnerability is
weak  authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.

III. Details

From RFC 2617:

  The user agent MUST
  choose to use one of the challenges with the strongest auth-scheme it
  understands and request credentials from the user based upon that
  challenge.

Instead,   Mozilla   uses   authentication  schemas  in  the  order  of
WWW-Authenticate  headers  sent by Web server. It may lead to situation
weak  authentication (for example cleartext "Basic" authentication) may
be  chosen  by  Mozilla  while both server and Mozilla support stronger
authentication mechanism.

IV. Demonstration

This  links  demonstrate  initial handshake for different authentication
protocols:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With  this  link  you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted  over  the  wire  will  be  chosen  by  default. By pressing
"Cancel" you can choose different authentication.

--
http://www.security.nnov.ru
        /\_/\
       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                   |/

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород