Bug 117181

Summary: VUL-0: mozilla/firefox: authentication bypass/negotiation of wrong protocol
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: FirefoxAssignee: E-mail List <bnc-team-mozilla>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kernel01, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2395: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-09-15 09:07:33 UTC 
Hello Wolfgang,
here is another one...

Delivery-Date: Wed, 14 Sep 2005 17:12:14 +0200
Date: Wed, 14 Sep 2005 15:41:45 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: bugTraq <bugtraq@securityfocus.com>, full-disclosure@lists.grok.org.uk,
        security@mozilla.org
Subject: Mozilla / Mozilla Firefox authentication weakness
Envelope-To: tom@electric-sheep.org

Dear bugTraq,

  I  have  reported  this issue some time ago:
  http://www.security.nnov.ru/Fnews19.html
  but  it looks like it was ignored, and not fixed in latest mozilla and
  firefox releases, so I decided to send "formal" advisory


Issue:              Mozilla browsers authentication weakness
Author:             3APA3A <3APA3A@security.nnov.ru>
Advisory URL:       http://www.security.nnov.ru/Fnews19.html
Vendor:             Mozilla (http://www.mozilla.org)
Products:           Mozilla 1.7.11 (Windows version tested)
                    FireFox 1.0.6 (Windows version tested)
Type:               Man-in-the-Middle, information leak
Exploit:            Not required

I. Intro

 RFC  2617  defines  Authentication mechanism for HTTP protocol. Any web
 browser implement this standard for web site access authentication.

II. Vulnerability

 Firefox  and  Mozilla  browser  have  vulnerability  in  authentication
 mechanism  implementation.  Potential  impact  of this vulnerability is
 weak  authentication protocol (for example cleartext) may be chosen for
 Web site authentication instead of stronger one.

III. Details

From RFC 2617:

   The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that
   challenge.

 Instead,   Mozilla   uses   authentication  schemas  in  the  order  of
 WWW-Authenticate  headers  sent by Web server. It may lead to situation
 weak  authentication (for example cleartext "Basic" authentication) may
 be  chosen  by  Mozilla  while both server and Mozilla support stronger
 authentication mechanism.

IV. Demonstration

This  links  demonstrate  initial handshake for different authentication
protocols:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With  this  link  you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted  over  the  wire  will  be  chosen  by  default. By pressing
"Cancel"  you  can  choose  different  authentication. Internet Explorer
offers strongest authentication.

--
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
Comment 1 Thomas Biege 2005-09-15 09:08:29 UTC 
CAN-2005-2395
Comment 2 Wolfgang Rosenauer 2005-09-15 09:16:44 UTC 
https://bugzilla.mozilla.org/show_bug.cgi?id=281851

What is security-team's severity for this? According the the above bug it's not
very critical.
Comment 3 Thomas Biege 2005-09-15 09:26:01 UTC 
For now it's ok to just fix it along with other updates.
Comment 4 Marcus Meissner 2006-03-29 13:23:44 UTC 
ping? any update?
Comment 5 Wolfgang Rosenauer 2006-03-29 14:02:05 UTC 
A patch is being worked on but for Mozilla this is no priority. Currently a first patch is available for discussion.
Comment 6 Bodo Bauer 2006-04-24 13:19:21 UTC 
ping? any update?
Comment 7 Wolfgang Rosenauer 2006-04-24 15:03:06 UTC 
no, sorry. No upstream solution yet.
Comment 8 Marcus Meissner 2006-11-08 15:11:40 UTC 
still not fixed. but public.
Comment 9 Bodo Bauer 2007-01-25 15:39:37 UTC 
I'm leaving Novell. If TPM assistance is needed, please ask Joachim Plack (AMD related issues) or Oliver Ries (general x86_64/i386) for assitance.
Comment 10 Marcus Meissner 2007-02-16 11:41:47 UTC 
i am suspending this bug for now. the fix must come from upstream and it probably will at some point in time.
Comment 11 Stephan Kulow 2008-06-25 09:33:23 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 12 Stephan Kulow 2008-06-25 09:35:02 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 13 Stephan Kulow 2008-06-25 09:41:10 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 14 Stephan Kulow 2008-06-25 09:52:47 UTC 
Closing old LATER+REMIND bugs as WONTFIX - if you still plan to work on it, feel free to reopen and set to ASSIGNED.

In case the report saw repeated reopen comments, it's due to bugzilla timing out on the huge request ;(
Comment 15 Marcus Meissner 2008-06-26 07:06:20 UTC 
again, bugfix needs to come from upstream, we cannot really do anything
Comment 16 Thomas Biege 2009-10-13 21:27:35 UTC 
CVE-2005-2395: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)