Network Security: Detailed info on [Full-disclosure] Mozilla cleartext credentials leak bug report to excus

Subject:	[Full-disclosure] Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein)
Date:	Wed, 20 Jul 2005 00:10:08 +0400

Dear Amit Klein (AKsecurity),



--Tuesday, July 19, 2005, 10:22:59 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:

AKA> For  example,  no-one expects NTLM auth to protect data in transit.

Actually, it may with NTLM Session Security.


AKA> Few  years  ago  Internet  Explorer  was  patched  to  use NTLM

 authentication  only  for  local  network zone. Local network are hosts
 with  NetBIOS name (for example WEBSRV, excluded by default from proxy)
 and list of proxy exclusions.


AKA> Uh, I don't think so. From my experiments with IE 6.0, it happily engages 
in NTLM
AKA> authentication on non local network sites. In fact, there are many sites 
on the Internet
AKA> which require NTLM authentication. For example, OWA 2000/2003...

Yes,  sorry, it was my fault. Probably this feature was only implemented
for transparent logon feature of NTLM and I did my tests through a proxy
with NTLM auth disabled.

To   excuse   myself   somehow  for the lists I will report security bug
discovered in Mozilla Firefox (Mozilla browser was not tested).

From RFC 2617:


   The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that
   challenge.

Instead,  Mozilla (tested with Firefox 1.0.4 and 1.0.5 for Windows) uses
authentication  schema  in  the  order  offered  by server. You can test
different authentications:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication
http://www.security.nnov.ru/files/atest/all.asp  -  Let  browser  to decide
between above schemas.

Then you visit
http://www.security.nnov.ru/files/atest/all.asp
with  Firefox  it  becomes clear, that Firefox chooses Basic by default,
digest if basic fails, etc.

It may lead to the leak of the cleartext credentials.

Because  this  is information leak vulneability and can not be specially
exploited  I  feel  free  to  report this vulnerability to the lists and
vendor at the same time.

This issue is published as
http://www.security.nnov.ru/Fnews19.html

-- 
~/ZARAZA
http://www.security.nnov.ru

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Amit Klein (AKsecurity) Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, 3APA3A [Full-disclosure] Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Amit Klein (AKsecurity) [Full-disclosure] Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein), 3APA3A <=

Previous by Date:	RE: Installation of software, and security. . ., Burton Strauss
Next by Date:	Re: On classifying attacks, Crispin Cowan
Previous by Thread:	[Full-disclosure] Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Amit Klein (AKsecurity)
Next by Thread:	[KDE Security Advisory]: Kate backup file permission leak, Dirk Mueller
Indexes:	[Date] [Thread] [Top] [All Lists]