Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein

Tue, 19 Jul 2005 01:57:12 -0700 

On Jul 18, 2005, at 12:30 PM, William A. Rowe, Jr. wrote:

                    NTLM HTTP Authentication
             (and possibly other connection-oriented
         HTTP authentication and authorization protocols)
                     is insecure by design


Yep, no shit -- that's what the Microsoft fools were told when
they introduced it.


*) The web server (IIS/6.0) must receive a Via-less request. The
Microsoft implementation assumes that the Via header is always sent
by a proxy server, and this is indeed mandated by the HTTP/1.1 RFC
2616 (http://www.ietf.org/rfc/rfc2616.txt), section 14.45:
 The Via general-header field MUST be used by gateways and proxies
 to indicate the intermediate protocols and recipients between the
 user agent and the server on requests [...]


Yep.


However, it seems that not all servers adhere to this standard. For
example, Apache 2.0.54 mod_proxy does not generate a Via header by
default (see the ProxyVia directive -
http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#proxyvia, yet
the default httpd.conf file contains a commented-out "ProxyVia On"
directive, so it's possible that many Apache proxy deployments do


WTF?  That's a bug.


*) Proxy vendors ­ do not to share TCP connections to the server
among several clients. Yes, it improves performance, but it's also
insecure and enables/aids 3 different attacks (the one described
here, HTTP Request Smuggling and HTTP Response Splitting).
Also, comply to the RFC and send the HTTP Via request header by
default (Apache Group - please take note).


As reverse proxy is never enabled without intent, the impact of
Apache on this vector is very low (note that Amit deliberately
introduced this into his reproduction case) - but anyone who has
intentionally used Apache as a reverse proxy to protect sensitive
IIS servers behind their DMZ using NTLM auth is vulnerable (as are
users of various NTLM Apache auth modules sitting behind Apache
reverse proxies.)


We don't really need to get in between their gun and their foot.


My thinking is that rather than 'revealing' the reverse proxy
origin server, we should be dumping the auth headers if they are
NTLM.


I don't think that will work from the browser's perspective.
I would just mark the connection as being in use by a single
client and remove it when the client closes.

....Roy























					Reply via email to