Mozilla / Mozilla Firefox authentication weakness

2005.09.17

Credit: 3APA3A (3APA3A SECURITY NNOV RU)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2005-2395

CWE: N/A

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Dear bugTraq,
I have reported this issue some time ago:
http://www.security.nnov.ru/Fnews19.html
but it looks like it was ignored, and not fixed in latest mozilla and
firefox releases, so I decided to send "formal" advisory
Issue: Mozilla browsers authentication weakness
Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit: Not required
I. Intro
RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.
II. Vulnerability
Firefox and Mozilla browser have vulnerability in authentication
mechanism implementation. Potential impact of this vulnerability is
weak authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.
III. Details
From RFC 2617:
The user agent MUST
choose to use one of the challenges with the strongest auth-scheme it
understands and request credentials from the user based upon that
challenge.
Instead, Mozilla uses authentication schemas in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation
weak authentication (for example cleartext "Basic" authentication) may
be chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.
IV. Demonstration
This links demonstrate initial handshake for different authentication
protocols:
http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication
With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication. Internet Explorer
offers strongest authentication.
--
http://www.security.nnov.ru
/_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mozilla / Mozilla Firefox authentication weakness

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.