Closed Bug 281851 (httpauthorder) Opened 20 years ago Closed 4 years ago

CVE-2005-2395 Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068]

Categories

(Core :: Networking: HTTP, defect, P5)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: dori.eldar, Unassigned)

References

Details

(Keywords: sec-low, sec-want, Whiteboard: [sg:low][sg:want][necko-would-take][adv-main93-])

Attachments

(1 file, 2 obsolete files)

v1 patch
23.92 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 When connecting to a web server that offers both HTTP Basic authentication and HTTP Digest authentication, Firefox selects to perform Basic authentication rather then the more secure Digest authentication scheme. This behavior is in contrast to RFC 2617 requirement, which describes HTTP authentication: ------------------------------------------------------------ 4.6 Weakness Created by Multiple Authentication Schemes An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different auth-scheme. A user agent MUST choose to use the strongest auth- scheme it understands and request credentials from the user based upon that challenge ------------------------------------------------------------ Reproducible: Always Steps to Reproduce: 1. Setup a Web Server to support both Basic and Digest authentication mode in parallel i.e. IIS server in a windows domain 2. Use firefox to connect to the web-server. 3. send user/pass credentials, when Firefox prompts the for credentials. 4. Use a network sniffer to to track traffic. 5. analyze sniffer dump, note that Firefox sends the user's credential to the wb-server, specifying HTTP Basic scheme. Actual Results: from network sniffer: // first un-authenitcated request send from client Frame 4 (452 bytes on wire, 452 bytes captured) Ethernet II, Src: 00:d0:59:cd:24:38, Dst: 00:0c:f1:33:e2:ff Internet Protocol, Src Addr: 192.168.2.2 (192.168.2.2), Dst Addr: 192.168.2.94 (192.168.2.94) Transmission Control Protocol, Src Port: 1646 (1646), Dst Port: http (80), Seq: 1, Ack: 1, Len: 398 Hypertext Transfer Protocol GET / HTTP/1.0\r\n Request Method: GET Host: 192.168.2.94\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0\r\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n \r\n ... // server sends un-authorized response indicating support for both basic and digest Frame 5 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: 00:0c:f1:33:e2:ff, Dst: 00:d0:59:cd:24:38 Internet Protocol, Src Addr: 192.168.2.94 (192.168.2.94), Dst Addr: 192.168.2.2 (192.168.2.2) Transmission Control Protocol, Src Port: http (80), Dst Port: 1646 (1646), Seq: 1, Ack: 399, Len: 1460 Hypertext Transfer Protocol HTTP/1.1 401 Access Denied\r\n Response Code: 401 Server: Microsoft-IIS/5.1\r\n Date: Thu, 10 Feb 2005 21:33:02 GMT\r\n WWW-Authenticate: Basic realm="corp.intel.com"\r\n Content-Length: 4431\r\n WWW-Authenticate: Digest qop="auth", realm="corp.intel.com", nonce="964f5a7cd20d6b8f10246120000062720c8897eaebb6bbccd1a7a2999dd0"\r\n Content-Type: text/html\r\n \r\n ... //client send an authenticated response specifying HTTP Basic scheme Frame 16 (487 bytes on wire, 487 bytes captured) Ethernet II, Src: 00:d0:59:cd:24:38, Dst: 00:0c:f1:33:e2:ff Internet Protocol, Src Addr: 192.168.2.2 (192.168.2.2), Dst Addr: 192.168.2.94 (192.168.2.94) Transmission Control Protocol, Src Port: 1647 (1647), Dst Port: http (80), Seq: 1, Ack: 1, Len: 433 Hypertext Transfer Protocol GET / HTTP/1.0\r\n Request Method: GET Host: 192.168.2.94\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0\r\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Authorization: Basic ZG9yaTpkb3Jp\r\n Credentials: dori:dori \r\n Expected Results: Firefox should select to use HTTP Digest authentication scheme, when presented with both Digest and Basic authentication scheme, as required in RFC 2617
->Core:Networking
Assignee: firefox → darin
Component: General → Networking: HTTP
Product: Firefox → Core
Version: unspecified → 1.7 Branch
So the problem seems to be that nsHttpChannel::GetCredentials will go with the first challenge it sees...
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #2) > So the problem seems to be that nsHttpChannel::GetCredentials will go with the > first challenge it sees... Yes. Mozilla follows the older RFC 2068 (HTTP 1.1 RFC) "An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different scheme. The order of the challenges returned to the user agent is in the order that the server would prefer they be chosen. The server should order its challenges with the "most secure" authentication scheme first. A user agent should choose as the challenge to be made to the user the first one that the user agent understands." Does IIS always return Digest AFTER Basic authentication in the WWW-Authenticate headers or did that take some hacking of the Metabase? What browers are smart enough to handle this correctly? Valid RFE, probably not security sensitive.
(In reply to comment #3) > Yes. Mozilla follows the older RFC 2068 (HTTP 1.1 RFC) IMHO it should follow the more secure option manadated in RFC 2617, which obsoletes RFC 2068 > Does IIS always return Digest AFTER Basic authentication in the WWW- Authenticate headers or did that take some hacking of the Metabase? This is the default behavior of IIS 5.0 I was told IIS 6.0 places digest first by I didn't verify. >What browers are smart enough to handle this correctly? Seen the same problem with IE 6.
Yeah, this doesn't seem to be security-sensitive.
Forgive me if I tightened the summary too much. Default buglists only show the visible portion of the textbox up there. I agree that we should the confidential flag.
Group: security
Summary: Incorrect authentication scheme is selected when connecting to a web-server that offers Digest and Basic authentication schemes → Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068]
Whiteboard: [sg:nse]
Attached patch version 0.1 (obsolete) — — Splinter Review
I made this patch in an attempt to learn a bit more about array and string usage in the Mozilla API, and I hope I can get some help to evolve the patch into something that resembles proper usage ... If you'd like to do that via. e-mail or IRC, I'd be happy to do so instead. Anyway, some things I'm not happy about: * The "static" priority array should probably live in some longer-lived object; maybe the HttpHandler? * The "static" priority array could be a string list pref, like 'networking.http.auth.schemePriorityList' with a comma-seperated, prioritized from 0->X, list. Or something ... The idea is that if someone (say, Netscape :-) makes 2-3 new HTTP authentication schemes and they want one of them to have a priority between basic and digest, they can easily just modify this pref. As it is now, all unknown schemes get a random priority higher than the known ones. * challengesList and schemeList is really just a map of scheme <-> fullChallengeString. I have no idea if there is a better way of doing this ... * The strings here are just insane. Why do I have to go through all that trouble (nsDependentCString(nsCString->get())) when I want to check nsCStringArray.IndexOf? According to common sense I should be able to just pass in a nsCString to IndexOf, since it is a CStringArray ... Of course, that 'common sense' is there to fill the void that is my knowledge of the Mozilla String API and C strings in general :-)
Attachment #195675 - Flags: review?(darin)
>Why do I have to go through all that >trouble (nsDependentCString(nsCString->get())) when I want to check >nsCStringArray.IndexOf? What was wrong with *your_cstring?
I don't see any comments from Darin here, but out of band I think he told me we still follow the old spec for server compatibility. Possibly enough servers we care about have evolved since that time that we can fix it. The following from 3APA3A was posted on Bugtraq today http://securityfocus.com/archive/1/410580/30/0/threaded
Flags: blocking1.9a1?
Flags: blocking1.8b5?
Whiteboard: [sg:nse] → [sg:investigate]
Alias: httpauthorder
Summary: Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068] → Wrong scheme used when server ic and Digest auth [rfc2617 obsoletes rfc2068]offers both Bas
Flags: blocking1.8b5? → blocking1.8b5-
Summary: Wrong scheme used when server ic and Digest auth [rfc2617 obsoletes rfc2068]offers both Bas → Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068]
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.7?
Flags: blocking1.7.13?
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.7?
A Normal severity still after that Bugtraq posting or is there anything new information?
Flags: blocking1.8b5- → blocking1.8b5?
OS: Windows XP → All
Hardware: PC → All
Version: 1.7 Branch → Trunk
Attached patch version 0.2 (obsolete) — — Splinter Review
* Moves the default priorities into a pref and reads it in nsHttpHandler.
Attachment #195675 - Attachment is obsolete: true
Attachment #197260 - Flags: review?(darin)
Attachment #195675 - Flags: review?(darin)
Darin - can you comment on risk level for this patch given upcomming b2 release?
I'm not sure what to think about this bug. It's possible that Digest authentication can be more secure than NTLM, or vice versa, depending on what mode of NTLM the server supports. In that case, what should we do? I really prefer giving servers the choice here since it gives "smart" server admins the flexibility to do what's best for users. However, I understand that it would be wise for Firefox to prefer Digest auth to Basic auth even if the server lists Basic auth first. At first glance, the patch looks pretty good. I'll probably have more comments once I look it over more closely. Given that IE also implements the older RFC, it makes it a bit more risky to consider changing our behavior at this point in time. What about Opera and Safari? What do they do?
(In reply to comment #13) > Given that IE also implements the older RFC, it makes it a bit more risky to > consider changing our behavior at this point in time. What about Opera and > Safari? What do they do? According to comment 4, IE has the same problem as Mozilla here. But, according to <http://securityfocus.com/archive/1/410580/30/0/threaded> (ref. comment 9), "Internet Explorer offers [the] strongest authentication."
Flags: blocking1.8b5? → blocking1.8b5-
> According to comment 4, IE has the same problem as Mozilla here. But, according > to <http://securityfocus.com/archive/1/410580/30/0/threaded> (ref. comment 9), > "Internet Explorer offers [the] strongest authentication." Can we get a definitive answer to this question then?
The I.E. I have access to here is version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 (IE6, WinXP SP2), and it chooses basic auth on <http://www.security.nnov.ru/files/atest/all.asp> (which is where, according to <http://securityfocus.com/archive/1/410580/30/0/threaded>, I.E. "offers strongest authentication".) So it would seem to me that <http://securityfocus.com/archive/1/410580/30/0/threaded> is wrong and comment 4 is right.
Vidar: Thanks for testing that. I'm not sure what to do now. Hmm...
(In reply to comment #13) > I'm not sure what to think about this bug. It's possible that Digest > authentication can be more secure than NTLM, or vice versa, depending on what > mode of NTLM the server supports. In that case, what should we do? I really > prefer giving servers the choice here since it gives "smart" server admins the > flexibility to do what's best for users. IIS and other servers will probably always offer NTLM before Digest because of the autosend abilities of IE and Mozilla in Windows. So whether we let mozilla decide or the server decide the result will probably be the same.
(In reply to comment #13) > Given that IE also implements the older RFC, it makes it a bit more risky to > consider changing our behavior at this point in time. What about Opera and > Safari? What do they do? Opera 8.5 build 7700 on Windows selects Basic, just like IE and Mozilla currently does without attachment 197260 [details] [diff] [review]. It might be worth noting that neither IE nor Opera present other authentication methods if you click Cancel in the Basic dialog. Mozilla presents one dialog for every auth scheme in sequence where applicable.
(In reply to comment #13) > Given that IE also implements the older RFC, it makes it a bit more risky to > consider changing our behavior at this point in time. What about Opera and > Safari? What do they do? I don't have access to Safari, but tried Konqueror, and it presented me with a user/password dialog that said "Site: NTLM at www.security.nnov.ru", so it would seem that it uses the (presumed) strongest method by default. gandalf tested it too, and it said "testdigest@security.nnov.ru at www.security.nnov.ru" there, so I presume NTLM is for some reason disabled in his build, but it picked digest over basic. Clicking Cancel did not provoke an auth dialog for a "lesser" scheme (like Mozilla does).
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Since Firefox cannot know if NTLM is better than Digest or vice versa, I think Firefox should simply prefer anything over Basic authentication. When deciding between other authentication schemes, Firefox should just select them in the order specified by the server. (Negotiate does not necessarily mean Kerberos!)
(In reply to comment #21) > Since Firefox cannot know if NTLM is better than Digest or vice versa, I think > Firefox should simply prefer anything over Basic authentication. When deciding > between other authentication schemes, Firefox should just select them in the > order specified by the server. (Negotiate does not necessarily mean Kerberos!) I agree. This means, AFAICS, that attachment 197260 [details] [diff] [review] can be used as attached except changing the pref network.http.auth-scheme-priority-list to read only "basic" and only adding schemePriorityList.AppendCString(NS_LITERAL_CSTRING("basic")).
Attached patch v1 patch — — Splinter Review
This is an alternate patch that only implements re-ording "basic" auth challenges. It attempts to do the right thing if given multiple basic auth challenges. I haven't fully tested this patch, so any help testing it would be greatly appreciated. The patch includes some cleanup and simplification of some related code.
Attachment #197260 - Attachment is obsolete: true
Attachment #197260 - Flags: review?(darin)
Comment on attachment 204614 [details] [diff] [review] v1 patch My testing shows that the patch presents me with other schemes before "basic" in the order specified by the server. Would it be an idea to keep the pref as proposed in comment 22? It would make it easier to make policy changes at a later date, and also for embedders to make their own decision. I'm not saying I see an absolute need for it, but I don't see any drawbacks either.
Summary: Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068] → CVE-2005-2395 Wrong scheme used when server offers both Basic and Digest auth [rfc2617 obsoletes rfc2068]
(In reply to comment #21) > Since Firefox cannot know if NTLM is better than Digest or vice versa, I think > Firefox should simply prefer anything over Basic authentication. When deciding > between other authentication schemes, Firefox should just select them in the > order specified by the server. (Negotiate does not necessarily mean Kerberos!) > While "Negotiate" does not necessarily absolutely mean "Kerberos", in almost all practical cases in use today, it almost always means something stronger than "Basic". Microsoft uses Negotiate to choose between NTLM and Kerberos. I think it *is* safe to put Basic behind Negotiate when sorting by security. We ran into a problem just recently where an Apache server was sending "Negotiate" followed by "Basic" and the browser always prompts for Basic, ignoring the "Negotiate" extension which was the opposite of what was intended - which was to use Negotiate if possible, else fall back to Basic. For the rare case where someone might prefer Basic over other choices, use the preference option, but I think the default should be that Basic is always used as a last resort.
QA Contact: general → networking.http
Assignee: darin → nobody
Flags: blocking1.9a1? → blocking1.9-
Whiteboard: [sg:investigate] → [sg:investigate] [wanted-1.9]
Blocks: 61681
Flags: wanted1.9+
Whiteboard: [sg:investigate] [wanted-1.9] → [sg:investigate]
Does anyone know if either of the two proposed patches for this bug ever landed? I'm adding this to my list of likely network bugs to work on. No guarantee when I'll actually get to it.
Assignee: nobody → jduell
(In reply to comment #26) > Does anyone know if either of the two proposed patches for this bug ever > landed? > > I'm adding this to my list of likely network bugs to work on. No guarantee > when I'll actually get to it. No, no patches were added to the code. You can check at <http://mxr.mozilla.org/mozilla/source/netwerk/protocol/http/src/nsHttpChannel.cpp>
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Whiteboard: [sg:investigate] → [sg:low][sg:want]
This bug is still present in FF 3.5.1. IE 7 and 8 follow the RFC.
Any news on this bug, it's a serious security related issue and opened for quite a long time!
For unrelated reasons I did some recent testing on how Firefox implements several aspects of RFC 2617, including the one reported by this bug (which I wasn't aware of when I did my testing). I found a number of issues, and while searching Bugzilla found this entry. In addition to this bug, I also found a few other problems. RFC 2616 section 14.47 specifies the WWW-Authenticate header as follows: WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge According to section 2.1, this syntax specifies that WWW-Authenticate contains one or more comma-separated "challenge" elements, and "challenge" gets defined in RFC 2617. RFC 2617 section 1.2 defines the "challenge" element as follows: challenge = auth-scheme 1*SP 1#auth-param In other words, the "challenge" elements consists of "auth-scheme" (which gets defined as word) one or more spaces, then one or more parameters (defined, roughly, as name=value tuples, elsewhere). As I interpret this, RFC 2616 and RFC 2617 permit a single WWW-Authenticate header to specify multiple challenges, and the following header seems legal to me, according to RFC 2616 and RFC 2617: WWW-Authenticate: Basic realm="Test Realm", Digest realm="Test Realm", algorithm=MD5, domain="/", nonce="1350785623", qop="auth" The fact that this is a valid header is unambiguously confirmed by section 1.2 of RFC 2617: Note: User agents will need to take special care in parsing the WWW- Authenticate or Proxy-Authenticate header field value if it contains more than one challenge, or if more than one WWW-Authenticate header field is provided, since the contents of a challenge may itself contain a comma-separated list of authentication parameters. In my testing, I've set up a test server and pointed Firefox 16.0.1 to it. When Firefox received a response with the above header, it prompted for authentication, but responded with a Basic authentication scheme. If I reverse the order of the schemes, and have the custom server respond with the following header: WWW-Authenticate: Digest realm="Test Realm", algorithm=MD5, domain="/", nonce="1350785798", qop="auth", Basic realm="Test Realm" In this case, Firefox fails to prompt for authentication entirely. I also tested the Elinks 0.12 browser. In both of the above cases, elinks prompted for authentication and responded with the MD5 Digest authorization scheme. Additional testing: RFC 2617 specifies only MD5 as the hash mechanism for the Digest authorization scheme, however RFC2617 does not prohibit other schemes from being used. Section 3.2.1 of RFC 2617 states: algorithm A string indicating a pair of algorithms used to produce the digest and a checksum. If this is not present it is assumed to be "MD5". If the algorithm is not understood, the challenge should be ignored (and a different one used, if there is more than one). I am using gcrypt, and it was fairly trivial for me to implement Digest using SHA1, or any other hash method implemented in gcrypt, in place of MD5. So I tried the following headers: WWW-Authenticate: Basic realm="Test Realm", Digest realm="Test Realm", algorithm=MD5, domain="/", nonce="1350787263", qop="auth", Digest realm="Test Realm", algorithm=SHA1, domain="/", nonce="1350787263", qop="auth" ... and several other permutations. The results were fairly consistent: Firefox uses Basic authorization scheme if it's the first one that appears in the WWW-Authenticate header. If something else appears, even Digest/MD5, which Firefox otherwise implements, Firefox fails to authenticate. Elinks always used Digest/MD5, no matter what its position was, in the header, ignoring the SHA1 challenge. When I change the server to use a separate WWW-Authenticate header for each challenge, Firefox actually ignores the header with the SHA1 scheme, if it's the first one, and picks either Digest/MD5 or Basic, whichever one sees first, consistent with this bug report. WWW-Authenticate: Digest realm="Test Realm", algorithm=SHA1, domain="/", nonce="1350787799", qop="auth" WWW-Authenticate: Digest realm="Test Realm", algorithm=MD5, domain="/", nonce="1350787799", qop="auth" WWW-Authenticate: Basic realm="Test Realm" In this case, Firefox responds with a Digest authorization scheme, and ignores the SHA1 header. When the order is SHA1/Basic/MD5, Firefox uses Basic. In this respect, Firefox's behavior is the same as Elinks'.
Any idea if this is going to be fixed in Firefox?, or we just want to keep the original behaviour?
Sam's point about problems with multiple auths in the same header line is bug 669675.
Whiteboard: [sg:low][sg:want] → [sg:low][sg:want][necko-would-take]
I am still seeing Firefox choosing to use Basic auth, when it's offered first before the preferable NTLM and Negotiate options. Any prospect of this ever being fixed?
I have the same problem. In my case, Users must be authenticated to Squid, to have access to internet. IE and Chrome choose negotiate over basic, firefox not. (In Squid logs, i found that firefox tries Basic and negotiate at the same time). There is any solution to force firefox to choose negotiate over basic. This is my squid config : ### basic authentication auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid3/users auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=??????.COM --kerberos /usr/lib/squid$ auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=??????.COM auth_param ntlm children 10 auth_param ntlm keep_alive off ......
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Assignee: jduell.mcbugs → nobody

Patch submitted for review: https://phabricator.services.mozilla.com/D106241
Related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=472823 SHA 256 Digest Authentication

It sounds like this should depend on bug 472823. Is this fixed now that that bug is?

Flags: needinfo?(jstutte)

Yes, this should be fixed now.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jstutte)
Resolution: --- → DUPLICATE
status-firefox90: --- → fixed
status-firefox90: fixed → ---

The code in bug 669675 and bug 472823 landed in Firefox 93, so I think this is fixed now.

status-firefox93: --- → fixed
Whiteboard: [sg:low][sg:want][necko-would-take] → [sg:low][sg:want][necko-would-take][adv-main93-]
Depends on: 472823, 669675
Resolution: DUPLICATE → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: