Mozilla / Mozilla Firefox authentication weakness

2005-09-14T00:00:00
ID SECURITYVULNS:DOC:9717
Type securityvulns
Reporter Securityvulns
Modified 2005-09-14T00:00:00

Description

Dear bugTraq,

I have reported this issue some time ago: http://www.security.nnov.ru/Fnews19.html but it looks like it was ignored, and not fixed in latest mozilla and firefox releases, so I decided to send "formal" advisory

Issue: Mozilla browsers authentication weakness Author: 3APA3A <3APA3A@security.nnov.ru> Advisory URL: http://www.security.nnov.ru/Fnews19.html Vendor: Mozilla (http://www.mozilla.org) Products: Mozilla 1.7.11 (Windows version tested) FireFox 1.0.6 (Windows version tested) Type: Man-in-the-Middle, information leak Exploit: Not required

I. Intro

RFC 2617 defines Authentication mechanism for HTTP protocol. Any web browser implement this standard for web site access authentication.

II. Vulnerability

Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one.

III. Details

From RFC 2617:

The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge.

Instead, Mozilla uses authentication schemas in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism.

IV. Demonstration

This links demonstrate initial handshake for different authentication protocols:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With this link you can check which protocol was chosen by browser, if server support few authentication protocols: http://www.security.nnov.ru/files/atest/all.asp For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication.

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/