'Wget auth-md5 bug'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wget
Subject:    Wget auth-md5 bug
From:       "Eugene Y. Vasserman" <eyv () cs ! umn ! edu>
Date:       2006-11-20 17:23:20
Message-ID: 20061120172320.GC23526 () cs ! umn ! edu
[Download RAW message or body]

Hi,
I'm TAing a class on security, and some of the students in the class recently \
discovered a wget bug that will (when using --http-user and --http-passwd) transmit \
the username/password pair in cleartext (base64 encoded) even when the website asks \
for md5 authentication. It seems wget will transmit the --http-user and --http-passwd \
strings pre-emptively, or rather before the site says what kind of authorization \
method is to be used. Therefore, even when the authorization method is "secure", wget \
discloses passwords to adversaries that have a sniffer running. The version fo wget \
used is 1.10.2, or the latest available on the FTP site. The students reporting this \
vulnerability were Mark Peloquin, Jon McLachln and Aaron Schumacher. Thanks,
Eugene

Relevant portions of the TCPdump attached below:

11:13:13.596870 IP 172.16.5.102.2207 > 172.16.5.103.www: S 1121427938:1121427938(0) \
win 5840 <mss 1460,sackOK,timestamp 241897729 0,nop,wscale 2> \
                E..<..@.@.&....f...g...PB............2.........
.k..........
11:13:13.596878 IP 172.16.5.103.www > 172.16.5.102.2207: S 2035711342:2035711342(0) \
ack 1121427939 win 5792 <mss 1460,sackOK,timestamp 300248124 241897729,nop,wscale 2> \
                E..<..@.@......g...f.P..yV}nB.......Lk.........
..l<.k......
11:13:13.609660 IP 172.16.5.102.2207 > 172.16.5.103.www: . ack 1 win 1460 \
<nop,nop,timestamp 241897730 300248124> E..4..@.@.&....f...g...PB...yV}o...........
.k....l<
11:13:13.609946 IP 172.16.5.102.2207 > 172.16.5.103.www: P 1:166(165) ack 1 win
1460 <nop,nop,timestamp 241897730 300248124>
E.....@.@.&L...f...g...PB...yV}o...........
.k....l<GET /more-sekret/cheese HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Authorization: Basic c3R1ZGVudDI6aW1tdW5pemVz
Host: 172.16.5.103
Connection: Keep-Alive
11:13:13.610366 IP 172.16.5.103.www > 172.16.5.102.2207: . ack 166 win 1716 \
<nop,nop,timestamp 300248129 241897730> E..4..@.@......g...f.P..yV}oB........s.....
..lA.k..
11:13:13.611726 IP 172.16.5.103.www > 172.16.5.102.2207: P 1:954(953) ack 166 win \
1716 <nop,nop,timestamp 300248129 241897730> \
                E..../@.@......g...f.P..yV}oB.......%......
..lA.k..HTTP/1.1 401 Authorization Required
Date: Mon, 20 Nov 2006 17:13:13 GMT
Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a
WWW-Authenticate: Digest realm="Security by Misunderstanding", \
nonce="0zs31bAiBAA=b11dc070a7628b66da822eece146b0e61bbc11d7", algorithm=MD5, \
                domain="/var/www/more-sekret", qop="auth"
Content-Length: 509
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


-- 
Eugene Y. Vasserman
http://www.cs.umn.edu/~eyv/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic