thamagates / mongoose

Automatically exported from code.google.com/p/mongoose
MIT License
0 stars 0 forks source link

HTTP Digest Authentication: spaces in Realm quoted-string causes crash #209

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Set Realm, e.g "ARealmWith Space" 
2. Set password to XYZ.
3. Connect to web server.
4. Authentication challenge shown.
5. Enter user, password.
6. Click OK. 
7. Server crashed.

OS:
Linux sking 2.6.18-194.26.1.el5PAE #1 SMP Tue Nov 9 13:34:42 EST 2010 i686 i686 
i386 GNU/Linux

Mongoose Version: 
2.8

parse_auth_header() seems to be issue (non-compliant parsing). See below 
input/output. 

Input:
Digest username="admin", realm="Zetron-Voice Logger Gateway", 
nonce="nkUAUdbBYmPfAAAA", uri="/WebInterface.html", response="<OMITTED>", 
qop=auth, nc=00000005, cnonce="dba9a4cc6644c70c"

Output
name=username, value="admin"
name=realm, value="Zetron-Voice
name=Logger Gateway", nonce, value="nkUAUdbBYmPfAAAA"
name=uri, value="/WebInterface.html"
name=response, value="<OMITTED>"
name=qop, value=auth
name=nc, value=00000005
name=cnonce, value="dba9a4cc6644c70c"
name=, value=

Therefore, mongoose finds no nonce header field. And later, in 
mg_authorize_get_header, the following is performed:
    strcpy(user->user, ah.user);
    strcpy(user->nonce, ah.nonce);  << Dereference NULL here!

This seems to also occur with 2.11 parse_auth_header() code. 

Original issue reported on code.google.com by steven.k...@gmail.com on 2 Dec 2010 at 1:52

GoogleCodeExporter commented 9 years ago
I pushed http://code.google.com/p/mongoose/source/detail?r=1235f90153 which at 
least avoids the crash.

I don't have enough perl skills to add a test for this.  Once there's a test, 
I'm willing to work on a fix.

Original comment by arnout.v...@gmail.com on 2 Dec 2010 at 4:57

GoogleCodeExporter commented 9 years ago
Thanks Arnout.
Test could be done this way:
# Create an entry in a passwords file 
mongoose -A test/passfile "mydomain.com" "user with space, and comma" "pass"

# Generate valid authorization header for that entry. Yes, this is a replay 
attack scenario
mongoose -g test/passfile
# Run browser on port 8080, enter "user with space, and comma", "pass" 
credentials
# Then either see request in a firebug or other debugger, or stop mongoose, run 
netcat and see request on a terminal
nc -l 8080

Copy/paste valid auth header in test/test.pl for PUT request.

Original comment by valenok on 3 Dec 2010 at 8:17

GoogleCodeExporter commented 9 years ago
That just happens to work because currently the nonce isn't checked by 
mongoose...

Anyway, I've added this test and fixed it in 
http://code.google.com/p/mongoose/source/detail?r=6287415518

There's a serious rewrite of the skip() function, you may want to do some 
review.

Original comment by arnout.v...@gmail.com on 3 Dec 2010 at 11:50