digest authentication
Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest
Authentication
During a penetration test, RedTeam Pentesting discovered that the
GNCaster software has multiple bugs in its implementation of HTTP Digest
Authentication.
Details
=======
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST
authentication
Severity: Moderate
Vendor: The Apache Software Foundation
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name
Description An attacker attempting to connect to an HTTP session of the
Asterisk Manager Interface can send an arbitrarily long
string value for HTTP Digest Authentication. This causes a
stack buffer overflow, with the possibility of remote code
injection.
Resolution Upgrade to one of the versions of Asterisk listed in the
"Corrected In" section, or apply a patch specified in the
...
you can inject sql code in the 'username' argument of this function, it may
come from $_SERVER['PHP_AUTH_USER'] or $_SERVER['REMOTE_USER'] php
variables.
Theese vars are used for both HTTP Basic and Digest Authentication methods,
see PHP manual:
http://www.php.net/manual/en/features.http-auth.php
manual poc, visit http://host/path_to_geeklog/webservices/atom/index.php
>>
>> Abstract
>> ========
>> In this paper, we compare the security weaknesses and usability
>> limitations of both cookie-based session management and HTTP digest
>> authentication; demonstrating how digest authentication is clearly the
>> more secure system in practice. We propose several small changes in
>> browser behavior and HTTP standards that will make HTTP authentication
>> schemes, such as digest authentication, a viable option in future
>> application development.
>> _______________________________________________
Technical Description:
----------------------
The web interface of the Snom VoIP/SIP phones is protected by
Basic Authentication or Digest Authentication.
The authentication can be completely bypassed by modifying the
HTTP request. A normal browser sets the request header "Host:"
to the IP address or the host name that is entered in the URL
field of the browser. If the request header is modified to
contain the value "Host: 127.0.0.1", all pages and functions
Several vulnerabilities have been found in Tomcat, a servlet and JSP
engine:
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064
The HTTP Digest Access Authentication implementation performed
insufficient countermeasures against replay attacks.
CVE-2011-2204
In rare setups passwords were written into a logfile.
>
> Abstract
> ========
> In this paper, we compare the security weaknesses and usability
> limitations of both cookie-based session management and HTTP digest
> authentication; demonstrating how digest authentication is clearly the
> more secure system in practice. We propose several small changes in
> browser behavior and HTTP standards that will make HTTP authentication
> schemes, such as digest authentication, a viable option in future
> application development.
> _______________________________________________
often lead to catastrophic gaps in security. Recent examples of this
fragile architecture abound, and even when protocols and
implementations themselves are sound, research indicates browser user
interfaces continue to leave room for serious attacks.
This paper explores how the seldom-used HTTP digest authentication
protocol can be used to mitigate certain recent forms of attack,
including SSL/TLS renegotiation and some types of HTTP request
smuggling.
...
Problem Description:
Multiple vulnerabilities has been discovered and corrected in tomcat
5.5.x:
The implementation of HTTP DIGEST authentication in tomcat was
discovered to have several weaknesses (CVE-2011-1184).
Apache Tomcat, when the MemoryUserDatabase is used, creates log entries
containing passwords upon encountering errors in JMX user creation,
which allows local users to obtain sensitive information by reading
- - Tomcat 5.5.0 to 5.5.29
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.
Description:
The "WWW-Authenticate" header for BASIC and DIGEST authentication
includes a realm name. If a <realm-name> element is specified for the
application in web.xml it will be used. However, a <realm-name> is not
specified then Tomcat will generate one using the code snippet:
request.getServerName() + ":" + request.getServerPort()
In some circumstances this can expose the local hostname or IP address
A security vulnerability has been identified and fixed in neon:
neon 0.28.0 through 0.28.2 allows remote servers to cause a denial
of service (NULL pointer dereference and crash) via vectors related
to Digest authentication and Digest domain parameter support
(CVE-2008-3746).
The updated packages have been upgraded to version 0.28.3 to prevent
this.
_______________________________________________________________________
IAX2 response from asterisk (AST-2009-001).
CVE-2008-3903
It is possible to determine a valid SIP username, when Digest
authentication and authalwaysreject are enabled (AST-2009-003).
CVE-2009-3727
It is possible to determine a valid SIP username via multiple crafted
REGISTER messages (AST-2009-008).
disclosure or spoofing.
CVE-2007-2292
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511
It was discovered that insecure focus handling of the file upload
filename, as demonstrated by the ...war filename (CVE-2009-2902).
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might
allow remote attackers to discover the server's hostname or IP
address by sending a request for a resource that requires (1) BASIC or
(2) DIGEST authentication, and then reading the realm field in the
WWW-Authenticate header in the reply (CVE-2010-1157).
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0
beta does not properly handle an invalid Transfer-Encoding header,
which allows remote attackers to cause a denial of service (application
Multiple vulnerabilities have been reported in Mozilla Firefox and
SeaMonkey. Various errors in the browser engine and the Javascript
engine can be exploited to cause a memory corruption (CVE-2007-5339 and
CVE-2007-5340). Before being used in a request, input passed to the
user ID when making an HTTP request with digest authentication is not
properly sanitised (CVE-2007-2292). The titlebar can be hidden by a XUL
markup language document (CVE-2007-5334). Additionally, an error exists
in the handling of "smb:" and "sftp:" URI schemes on systems with
gnome-vfs support (CVE-2007-5337). An unspecified error in the handling
of "XPCNativeWrappers" and not properly implementing JavaScript
> want strong dynamic auth are probably largely the same folks who want
> strong data structures enforced.
Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew. I'd love to redesign digest
authentication, for instance, or push for good browser support of some
truly safe HTTP authentication protocols, but that would be much more
likely to fail. I see this as a relatively easy fix to open up a new
option in web app development.
Abstract
========
In this paper, we compare the security weaknesses and usability
limitations of both cookie-based session management and HTTP digest
authentication; demonstrating how digest authentication is clearly the
more secure system in practice. We propose several small changes in
browser behavior and HTTP standards that will make HTTP authentication
schemes, such as digest authentication, a viable option in future
application development.
disclosure or spoofing.
CVE-2007-2292
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511
It was discovered that insecure focus handling of the file upload
Another interesting attack was discovered as part
of the research on this vulnerability.
This attack is another example of leveraging XSRF
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the
"Compability with older browser" feature in
Apache Web Server.
For a PDF version of this research please follow the link below:
> auth-sharing mechanism like SAML, or combining with something like
> SXIP or OpenID. None of these latter give us the changeable
> persistence bits we want and need though, when passing auth around
> multi-domain/host properties.
Digest authentication may lack long-term persistence, I give you that,
but it makes up for it with better defined cross-domain properties.
What I suspect you haven't read up on is the intended use of the
opaque value (and perhaps server-side nonces) in digest
authentication. These can be used to pass information between servers
without any out of band mechanism. Look a lot like cookies, eh?
filename, as demonstrated by the ...war filename (CVE-2009-2902).
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might
allow remote attackers to discover the server's hostname or IP
address by sending a request for a resource that requires (1) BASIC or
(2) DIGEST authentication, and then reading the realm field in the
WWW-Authenticate header in the reply (CVE-2010-1157).
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0
beta does not properly handle an invalid Transfer-Encoding header,
which allows remote attackers to cause a denial of service (application
disclosure or spoofing.
CVE-2007-2292
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511
It was discovered that insecure focus handling of the file upload
http://community.corest.com/~gera/InsecureProgramming/
[6] Proof-of-concept exploitation tool for the ABO2 exercise (compiled
with Borland BCC32).
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=vp_abo2_launcher.c
[7] Multiple security vulnerabilities in the HTTP TRACE, WebDAV and
Digest Authentication Methods in the Sun Java System Web Server and Sun
Java System Web Proxy Server.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1
[8] Proof-of-concept exploitation tool for the Java System Webserver
buffer overflow when running on a Virtual PC guest.
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=sunjavawebserver-webdav-vpc-poc.zip
|
