| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Aug 2010 00:14:22 -0400 From: Aditya K Sood <0kn0ck@...niche.org> To: bugtraq@...urityfocus.com, websecurity@...appsec.org Subject: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated) Hi Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen on the following link http://code.google.com/p/chromium/issues/detail?id=36772 This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner. As mentioned in RFC 2617 /"The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absolute URI for the server whose abs_path is empty; <http://greenbytes.de/tech/webdav/rfc2617.html#RFC2616>of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.//The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realm/s./" /So, realm value plays critical role in determining the framework of HTTP Access authentication for a particular resource. It has been analyzed that it is possible to spoof the HTTP Auth dialog by playing around realm values. This attack scenario can be used to launch phishing attacks and stealing sensitive information from the legitimate websites. As it has been released before, Google Chrome fails to sanitize the obfuscated URL and redirect it to the different domain. This potential flaw can be combined with the HTTP Auth dialog spoofing to launch attacks against legitimate websites. An appropriate POC video has been released on the below mentioned links http://www.youtube.com/watch?v=r1KuE2th_EY http://secniche.org/videos/goog_http_auth_realm_mani.html (Note: A comparative test against Firefox has been placed in the video itself) Kind Regards Aditya K Sood http://www.secniche.org
Powered by blists - more mailing lists