Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 10:14:23 -0500
Guys, I think that we've lost focus of my original question. My question refined is, does anyone else agree with me that using HTTP BASIC AUTH for important applications is a security risk/vulnerability (regardless of SSL)? Or, is everyone here telling me that they "feel safe" if the connections are SSL'ed and are not worried that the HTTP BASIC AUTH is only creating a base64 hash of their usernames and passwords that can easily be reversed? My personal opinion, I feel like we're painting over the rust on an old car... I don't feel like we're fixing the risks. Keith wrote:
Does this console have to face the Internet? Why not put the management console in a protected environment with a VPN doing the authentication to the subnet that would allow you to manage it? You should be able to protect the web interface and still allow the managed devices to report to it. Of course if it is as weak as you say that may not help - you could probably attack the interface that receives reports from the client machines. Good luck with that, Keith Simon Smith wrote:List, SSL is not a fix for the problem, SSL is just a way of evading the issue or hiding the hole. I can bypass SSL with a man in the middle attack (which I've already done several times). Once I bypass SSL I am able to capture the http headers and extract the auth string. The auth string is vulnerable because it is only a base64 hash. I just reverse the hash, then presto, I have firewall access... or better still.... Lets take this a step further. There is a tool that I have been researching for some time. This tool doesn't even use SSL (which really scares me) and is used for centralized web based computer system management. This tool enables the administrators to perform tasks such as mass software installation, mass software removal, record emails, and even record keystrokes. This tool is a standard tool used by IT companies around the world to manage their clients networks. The console for this tool exists on the Internet and is PHP driven. Login to the console is also plain text and basic auth. If an attacker can successfully compromise the console (not difficult at all), then the attacker is in a prime position to extort companies being managed by this tool. This is possible because the exposure and damage caused to the company by going after the attacker would be far greater than just paying the attacker off. (Don't bother asking me what tool this is, I am not going to tell anyone because that would cross my ethical boundaries.) So, I guess I've really answered my own question, perhaps I should release some sort of an advisory on all of these products that are using basic auth. Basic auth is not really providing anyone with any security. Maybe they feel good because they need to type in a username and a password? Would they feel so good if they knew what was really happening? What is the solution to this problem? Is there a solution that does not require a different auth type? Jeremy Bishop wrote:On Monday 13 March 2006 11:56, Matthijs van Otterdijk wrote:except for that SSH uses RSA, which uses a public and private key. If the password is encrypted during the transfer to the site, and can only get decrypted there, then it can't possibly be sniffed with some computer inbetween, can it?As Tim mentioned, the question isn't about the information getting to a site securely, it's about whether that site is the correct one and not an impostor. (I think the original poster was referring to SSL, not SSH, but that is really immaterial to the question.) Jeremy_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Andrew Simmons (Mar 17)