Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein)

2005-07-20T00:00:00
ID SECURITYVULNS:DOC:9233
Type securityvulns
Reporter Securityvulns
Modified 2005-07-20T00:00:00

Description

Dear Amit Klein (AKsecurity),

--Tuesday, July 19, 2005, 10:22:59 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:

AKA> For example, no-one expects NTLM auth to protect data in transit.

Actually, it may with NTLM Session Security.

AKA> Few years ago Internet Explorer was patched to use NTLM >> authentication only for local network zone. Local network are hosts >> with NetBIOS name (for example WEBSRV, excluded by default from proxy) >> and list of proxy exclusions. >>

AKA> Uh, I don't think so. From my experiments with IE 6.0, it happily engages in NTLM AKA> authentication on non local network sites. In fact, there are many sites on the Internet AKA> which require NTLM authentication. For example, OWA 2000/2003...

Yes, sorry, it was my fault. Probably this feature was only implemented for transparent logon feature of NTLM and I did my tests through a proxy with NTLM auth disabled.

To excuse myself somehow for the lists I will report security bug in Mozilla discovered during re-testing.

From RFC 2617:

The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge.

Instead, Mozilla (tested with Firefox 1.0.4 and 1.0.5) uses authentication schema in the order offered by server. You can test different authentications:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication http://www.security.nnov.ru/files/atest/all.asp - Let browser decide

Then you visit http://www.security.nnov.ru/files/atest/all.asp with Firefox it becomes clear, that Firefox chooses Basic by default, digest if basic fails, etc.

It may lead to the leak of the cleartext credentials.

Because this is information leak vulneability and can not be specially exploited I feel free to report this vulnerability directly to list.

-- ~/ZARAZA http://www.security.nnov.ru