II: Security problem in 1.1.15 PROXY_AUTH

From: David Luyer <luyer@dont-contact.us>
Date: Mon, 25 Aug 1997 15:21:28 +0800 (WST)

--MimeMultipartBoundary
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a resend with a change since I realised my security fix was
useless; one can just set the top bit in the passed password. I haven't
changed most of the email, I've just changed the last bit from XOR-ing 3
times to |=0x80, &=~(0x80), |=0x80.

David.

--
(with and without ACL PROXY_AUTH; in acl.c with ACL PROXY_AUTH, or in
client_side.c with plain PROXY_AUTH)
   if (strcmp(hashr->item, passwd) == 0) {
      debug(33, 5, "proxyAuthenticate: user %s previously validated\n",
sent_user);
      xfree(clear_userandpw);
      return sent_user;
   }
   if (strcmp(hashr->item, (char *) crypt(passwd, hashr->item))) {
      /* Passwords differ, deny access */
      debug(33, 4, "proxyAuthenticate: authentication failed: user %s
passwords differ\n", sent_user);
      xfree(clear_userandpw);
      return (dash_str);
   }
   debug(33, 5, "proxyAuthenticate: user %s validated\n", sent_user);
   hash_delete(validated, sent_user);
   hash_insert(validated, xstrdup(sent_user), (void *) xstrdup(passwd));
Unless you completely and utterly trust shadowed passwords, SecureWare,
NIS, or whatever you use (all of which I've found holes with in
installations I've seen or commercial unix variants I've used), this is a
_very_ bad thing.
A user who obtains the _crypt_ of another user can, without having to
brute-force crack it, just pass (username, crypt) as a request for proxy
authentification.  (I have tested this and it works.  Not good.)
My fix is to add 128 to the first byte in the plaintext password which
squid stores to speed checks (on 2nd and subsequent logins).
ie...
   passwd[0] |= 0x80;
   /* check mutated password */
   if(strcmp(....) == 0) {
   }
   passwd[0] &= ~(0x80);
   /* check vs crypt */
   if(strcmp(..., crypt(...))) {
   }
   passwd[0] |= 0x80;
   /* store mutated password away */
David.
--MimeMultipartBoundary--
Received on Tue Jul 29 2003 - 13:15:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:24 MST