[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C71F59E.50607@secniche.org>
Date: Mon, 23 Aug 2010 00:14:22 -0400
From: Aditya K Sood <0kn0ck@...niche.org>
To: bugtraq@...urityfocus.com, websecurity@...appsec.org
Subject: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation
(Restated)
Hi
Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP
Auth Dialog spoofing vulnerability due to possible
realm manipulation in the HTTP header. Previously, Google chrome has got
a similar bug which can be seen on the following link
http://code.google.com/p/chromium/issues/detail?id=36772
This bug was actually patched. The issue mentioned in this bug was
dialog spoofing due to long sub domain names. The patch worked
only for that specific case which was outlined in that bug. There are
number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type
of realm value set in the header. It can be tampered with
double quotes and single quotes used in a definite manner.
As mentioned in RFC 2617
/"The realm directive (case-insensitive) is required for all
authentication schemes that issue a challenge.
The realm value (case-sensitive), in combination with the canonical root
URL (the absolute URI for the
server whose abs_path is empty;
<http://greenbytes.de/tech/webdav/rfc2617.html#RFC2616>of the server
being accessed, defines the protection space. These realms allow
the protected resources on a server to be partitioned into a set of
protection spaces, each with its own authentication
scheme and/or authorization database.//The realm value is a string,
generally assigned by the origin server, which
may have additional semantics specific to the authentication scheme.
Note that there may be multiple challenges
with the same auth-scheme but different realm/s./"
/So, realm value plays critical role in determining the framework of
HTTP Access authentication for a particular resource. It
has been analyzed that it is possible to spoof the HTTP Auth dialog by
playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive
information from the legitimate websites.
As it has been released before, Google Chrome fails to sanitize the
obfuscated URL and redirect it to the different domain.
This potential flaw can be combined with the HTTP Auth dialog spoofing
to launch attacks against legitimate websites.
An appropriate POC video has been released on the below mentioned links
http://www.youtube.com/watch?v=r1KuE2th_EY
http://secniche.org/videos/goog_http_auth_realm_mani.html
(Note: A comparative test against Firefox has been placed in the video
itself)
Kind Regards
Aditya K Sood
http://www.secniche.org
Powered by blists - more mailing lists