lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C71F59E.50607@secniche.org>
Date: Mon, 23 Aug 2010 00:14:22 -0400
From: Aditya K Sood <0kn0ck@...niche.org>
To: bugtraq@...urityfocus.com, websecurity@...appsec.org
Subject: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation
 (Restated)

Hi

Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP
Auth Dialog spoofing vulnerability due to possible
realm manipulation in the HTTP header. Previously, Google chrome has got
a similar bug which can be seen on the following link

http://code.google.com/p/chromium/issues/detail?id=36772

This bug was actually patched. The issue mentioned in this bug was
dialog spoofing due to long sub domain names. The patch worked
only for that specific case which was outlined in that bug. There are
number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type
of realm value set in the header. It can be tampered with
double quotes and single quotes used in a definite manner.

As mentioned in RFC 2617

/"The realm directive (case-insensitive) is required for all
authentication schemes that issue a challenge.
The realm value (case-sensitive), in combination with the canonical root
URL (the absolute URI for the
server whose abs_path is empty;
<http://greenbytes.de/tech/webdav/rfc2617.html#RFC2616>of the server
being accessed, defines the protection space. These realms allow
the protected resources on a server to be partitioned into a set of
protection spaces, each with its own authentication
scheme and/or authorization database.//The realm value is a string,
generally assigned by the origin server, which
may have additional semantics specific to the authentication scheme.
Note that there may be multiple challenges
with the same auth-scheme but different realm/s./"

/So, realm value plays critical role in determining the framework of
HTTP Access authentication for a particular resource. It
has been analyzed that it is possible to spoof the HTTP Auth dialog by
playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive
information from the legitimate websites.

As it has been released before, Google Chrome fails to sanitize the
obfuscated URL and redirect it to the different domain.
This potential flaw can be combined with the HTTP Auth dialog spoofing
to launch attacks against legitimate websites.

An appropriate POC video has been released on the below mentioned links

http://www.youtube.com/watch?v=r1KuE2th_EY
http://secniche.org/videos/goog_http_auth_realm_mani.html

(Note: A comparative test against Firefox has been placed in the video
itself)


Kind Regards
Aditya K Sood
http://www.secniche.org




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ