lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon Mar 13 20:37:10 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall.

List,
    SSL is not a fix for the problem, SSL is just a way of evading the
issue or hiding the hole. I can bypass SSL with a man in the middle
attack (which I've already done several times). Once I bypass SSL I am
able to capture the http headers and extract the auth string. The auth
string is vulnerable because it is only a base64 hash. I just reverse
the hash, then presto, I have firewall access... or better still....

    Lets take this a step further. There is a tool that I have been
researching for some time. This tool doesn't even use SSL (which really
scares me) and is used for centralized web based computer system
management. This tool enables the administrators to perform tasks such
as mass software installation, mass software removal, record emails, and
even record keystrokes. This tool is a standard tool used by IT
companies around the world to manage their clients networks.

    The console for this tool exists on the Internet and is PHP driven.
Login to the console is also plain text and basic auth. If an attacker
can successfully compromise the console (not difficult at all), then the
attacker is in a prime position to extort companies being managed by
this tool. This is possible because the exposure and damage caused to
the company by going after the attacker would be far greater than just
paying the attacker off. (Don't bother asking me what tool this is, I am
not going to tell anyone because that would cross my ethical boundaries.)

    So, I guess I've really answered my own question, perhaps I should
release some sort of an advisory on all of these products that are using
basic auth. Basic auth is not really providing anyone with any security.
Maybe they feel good because they need to type in a username and a
password? Would they feel so good if they knew what was really happening?

    What is the solution to this problem? Is there a solution that does
not require a different auth type?

   

   

   

Jeremy Bishop wrote:
> On Monday 13 March 2006 11:56, Matthijs van Otterdijk wrote:
>   
>> except for that SSH uses RSA, which uses a public and private key. If
>> the password is encrypted during the transfer to the site, and can
>> only get decrypted there, then it can't possibly be sniffed with some
>> computer inbetween, can it?
>>     
>
> As Tim mentioned, the question isn't about the information getting to a 
> site securely, it's about whether that site is the correct one and not 
> an impostor.
>
> (I think the original poster was referring to SSL, not SSH, but that is 
> really immaterial to the question.)
>
> Jeremy
>
>   


-- 


Regards, 
	Adriel T. Desautels
	Harvard Security Group
	http://www.harvardsecuritygroup.com


Powered by blists - more mailing lists