[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-general
Subject: [HACKERS] Fwd: SSPI authentication ASC_REQ_REPLAY_DETECT flag
From: Jacobo Vazquez <jvazquez () denodo ! com>
Date: 2015-03-31 16:40:40
Message-ID: CADdJUUKzrkab_rMRNhKctx3VR2_PRtsS8bak7nKg=VRzw=eEjw () mail ! gmail ! com
[Download RAW message or body]
Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have
configured it to use SSPI authentication. The client is on a Windows 7
machine and make the connections via ODBC using a DSN with psqlodbc driver
version 9.03.04.00. Authentication works in this scenario for the user
authenticated in the client machine. I am always using the same user for
connections.
I used Wireshark in the configuration phase to analyze the traffic
between the server and the client. It looks to me that in the
authentication phase, the client always sends the same service ticket to
postgresql server when a new connection is created, even when I create a
new DSN pointing to the same server, it keeps sending the same service
ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks
like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This
not means a replay attack risk? I think that if SSL is not used by the
connection, a malicious user could capture the authentication package which
the client service ticket and then reuse it.
Thanks in advance
--
--
*Jacobo Vázquez Lorenzo*
Product Development
Denodo Technologies
(+34) 981 10 02 00 Phone
jvazquez@denodo.com
www.denodo.com Legal Notice
The message is intended for the addresses only and its contents and any
attached files are strictly confidential.
If you have received it in error, please remove this mail and contact
postmaster@denodo.com.
Thank you.
[Attachment #3 (text/html)]
<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">Hi all,<br><br> I \
installed PostgreSQL 9.3 on a Windows Server 2012 and I have configured it to use \
SSPI authentication. The client is on a Windows 7 machine and make the connections \
via ODBC using a DSN with psqlodbc driver version 9.03.04.00. Authentication works in \
this scenario for the user authenticated in the client machine. I am always using the \
same user for connections.<br><br> I used Wireshark in the configuration phase \
to analyze the traffic between the server and the client. It looks to me that in the \
authentication phase, the client always sends the same service ticket to postgresql \
server when a new connection is created, even when I create a new DSN pointing to the \
same server, it keeps sending the same service ticket.<br><br> Analyzing the \
source code, in the file src/backend/libpq/auth.c looks like the server is not \
checking if the service ticket is reused:<br><br> r = \
AcceptSecurityContext(&sspicred,<br> sspictx,<br> \
&inbuf,<br> ASC_REQ_ALLOCATE_MEMORY,<br> \
SECURITY_NETWORK_DREP,<br> &newctx,<br> \
&outbuf,<br> &contextattr,<br> NULL);<br><br> \
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.<br><br> Am I \
misunderstanding something or is this the expected behavior? This not means a replay \
attack risk? I think that if SSL is not used by the connection, a malicious user \
could capture the authentication package which the client service ticket and then \
reuse it.<br clear="all"><br>Thanks in advance<span><font color="#888888"><br>-- \
<br><div><div dir="ltr"><table border="0" cellpadding="3" cellspacing="2" height="1" \
width="13"><tbody><tr><td \
style="font-family:Verdana;font-size:13px"></td></tr><tr><td><br></td><td \
style="font-family:Verdana;font-size:10px"></td></tr></tbody></table></div></div> \
</font></span></div> </div><br><br clear="all"><br>-- <br><div><div dir="ltr"><table \
border="0" cellpadding="3" cellspacing="2"><tbody><tr><td \
style="font-family:Verdana;font-size:13px"></td></tr><tr><td><table border="0" \
cellpadding="3" cellspacing="2"><tbody><tr><td \
style="font-family:Verdana;font-size:8pt;color:#333"><b>Jacobo Vázquez \
Lorenzo</b><br>Product Development<br> Denodo Technologies<br><span \
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#262626"><a \
value="+34912775855">(+34) 981 10 02 00 Phone</a></span><br>
<a style="color:#4472c4;text-decoration:none" \
href="mailto:jvazquez@denodo.com" target="_blank">jvazquez@denodo.com</a><br> <a \
style="color:#4472c4;text-decoration:none" href="http://www.denodo.com" \
target="_blank">www.denodo.com</a></td> </tr>
<tr>
<td style="font-family:Verdana;font-size:8pt">
<img src="http://www.denodo.com/mailing_images/denodo-logo-email.gif" \
border="0"> </td>
</tr>
<tr>
<td style="font-family:verdana;font-size:7pt;color:#c0c0c0">
Legal Notice<br>
The message is intended for the addresses only and its contents and any \
attached files are strictly confidential.<br>
If you have received it in error, please remove this mail and contact
<a href="mailto:postmaster@denodo.com" \
style="color:#c0c0c0;text-decoration:none" \
target="_blank">postmaster@denodo.com</a>.<br> Thank you.
</td></tr></tbody></table><br></td><td \
style="font-family:Verdana;font-size:10px"></td></tr></tbody></table></div></div> \
</div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic