Bug#349965: marked as done (ntlmaps: Sends cleartext-equivalent password during BASIC to NTLM translation)

Mon, 24 Jul 2006 04:33:01 -0700 

Your message dated Mon, 24 Jul 2006 03:23:52 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#349965: fixed in ntlmaps 0.9.9.0.1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ntlmaps
Version: 0.9.9-4
Severity: important

When ntlmaps is used to serve BASIC to NTLM authentication translation,
it tries to connect to the parent proxy with Basic credentials supplied
by the client, therefore nullifying any security benefits gained from
using NTLM authentication.

Below is the example of typical ntlmaps <-> parent proxy HTTP
conversation (as captured by tcpdump and displayed by ethereal,
response bodies and unimportant header parameters are omitted):

ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0
ntlmaps> User-Agent: Wget/1.9.1
ntlmaps> Host: www.avtomatikarus.com
ntlmaps> Accept: */*
ntlmaps> Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA==

proxy> HTTP/1.0 407 Proxy Authentication Required
proxy> Mime-Version: 1.0
proxy> Date: Thu, 26 Jan 2006 10:07:04 GMT
proxy> Content-Type: text/html
proxy> Content-Length: 1354
proxy> Proxy-Authenticate: NTLM
proxy> Proxy-Connection: close

ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0
ntlmaps> User-Agent: Wget/1.9.1
ntlmaps> Host: www.avtomatikarus.com
ntlmaps> Accept: */*
ntlmaps> Proxy-Authorization: NTLM TlRMTVNT...
(value cropped)
ntlmaps> Proxy-Connection: Keep-Alive

proxy> HTTP/1.0 407 Proxy Authentication Required
proxy> Mime-Version: 1.0
proxy> Date: Thu, 26 Jan 2006 10:07:04 GMT
proxy> Content-Type: text/html
proxy> Content-Length: 1354
proxy> Proxy-Authenticate: NTLM TlRMTVNT...
(value cropped)
proxy> Proxy-Connection: keep-alive

ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0
ntlmaps> User-Agent: Wget/1.9.1
ntlmaps> Host: www.avtomatikarus.com
ntlmaps> Accept: */*
ntlmaps> Proxy-Authorization: NTLM TlRMTVNT...
(value cropped)

proxy> HTTP/1.0 407 Proxy Authentication Required
proxy> Mime-Version: 1.0
proxy> Date: Thu, 26 Jan 2006 10:07:05 GMT
proxy> Content-Type: text/html
proxy> Content-Length: 1354
proxy> Proxy-Authenticate: NTLM
proxy> Proxy-Connection: close
(Access was denied due to obviously incorrect credentials)

The ntlmaps configuration that was used follows:

[GENERAL]
LISTEN_PORT:5865
PARENT_PROXY:proxy
PARENT_PROXY_PORT:8080
PARENT_PROXY_TIMEOUT:15
ALLOW_EXTERNAL_CLIENTS:0
FRIENDLY_IPS:
URL_LOG:0
MAX_CONNECTION_BACKLOG:5
[CLIENT_HEADER]
[NTLM_AUTH]
NT_HOSTNAME:knu
NT_DOMAIN:AVT
LM_PART:0
NT_PART:1
NTLM_FLAGS: 05820000
NTLM_TO_BASIC:1
[DEBUG]
DEBUG:1
BIN_DEBUG:1
SCR_DEBUG:1
AUTH_DEBUG:1

Following patch implements masking out of Proxy-Authorization
parameter during client request retransmission, when using
BASIC to NTLM authentication translation:

--- proxy_client.py.distrib     2006-01-26 12:11:02.856709592 +0300
+++ proxy_client.py     2006-01-26 12:01:41.227937741 +0300
@@ -307,8 +307,25 @@
     #-----------------------------------------------------------------------
     def send_client_header(self):
         ""
-        self.logger.log('*** Sending client request header to remote 
server...')
-        ok = self.client_head_obj.send(self.rserver_socket)
+
+       ok = 0
+
+        if self.config['NTLM_AUTH']['NTLM_TO_BASIC'] and 
self.client_head_obj.has_param('Proxy-Authorization'):
+           # Assuming Proxy-Authorization parameter contains Basic credentials.
+           # Masking it out, because of unsafety and unnecessarity.
+
+            proxy_authorization_values = 
self.client_head_obj.get_param_values('Proxy-Authorization')
+            self.client_head_obj.del_param('Proxy-Authorization')
+
+            self.logger.log('*** Sending client request header without 
Proxy-Authorization parameter to remote server...')
+            ok = self.client_head_obj.send(self.rserver_socket)
+
+            for value in proxy_authorization_values:
+                self.client_head_obj.add_param_value('Proxy-Authorization', 
value)
+       else:
+            self.logger.log('*** Sending client request header to remote 
server...')
+            ok = self.client_head_obj.send(self.rserver_socket)
+
         if ok:
             self.client_header_sent = 1
             self.logger.log('Done.\n')

-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (990, 'stable'), (700, 'testing'), (600, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)

Versions of packages ntlmaps depends on:
ii  debconf [debconf-2.0]         1.4.30.13  Debian configuration management sy
ii  python                        2.3.5-2    An interactive high-level object-o

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: ntlmaps
Source-Version: 0.9.9.0.1-1

We believe that the bug you reported is fixed in the latest version of
ntlmaps, which is due to be installed in the Debian FTP archive:

ntlmaps_0.9.9.0.1-1.diff.gz
  to pool/main/n/ntlmaps/ntlmaps_0.9.9.0.1-1.diff.gz
ntlmaps_0.9.9.0.1-1.dsc
  to pool/main/n/ntlmaps/ntlmaps_0.9.9.0.1-1.dsc
ntlmaps_0.9.9.0.1-1_all.deb
  to pool/main/n/ntlmaps/ntlmaps_0.9.9.0.1-1_all.deb
ntlmaps_0.9.9.0.1.orig.tar.gz
  to pool/main/n/ntlmaps/ntlmaps_0.9.9.0.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Drew Parsons <[EMAIL PROTECTED]> (supplier of updated ntlmaps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Jul 2006 23:00:27 +1000
Source: ntlmaps
Binary: ntlmaps
Architecture: source all
Version: 0.9.9.0.1-1
Distribution: unstable
Urgency: low
Maintainer: Drew Parsons <[EMAIL PROTECTED]>
Changed-By: Drew Parsons <[EMAIL PROTECTED]>
Description: 
 ntlmaps    - NTLM Authorization Proxy Server
Closes: 343475 344904 349199 349965
Changes: 
 ntlmaps (0.9.9.0.1-1) unstable; urgency=low
 .
   [ David Watson ]
   * New upstream release
   * Mask out Proxy-Authorization parameter when using BASIC to NTLM,
     thanks to Nickolay Kondrashov. Closes: #349965
   * Added unicode translation when using BASIC->NTLM, thanks to
     Nickolay Kondrashov. Closes: #344904
   * Log to syslog when startup fails due to missing password in
     configuration file. Closes: #343475
   * Escape special characters in password in postinst. Closes: #349199
   * Update to standards version 3.7.2, no changes needed.
   * Update for new python policy.
 .
   [ Drew Parsons ]
   * Upload on David's behalf.
Files: 
 d072cdfbc26e989c59718fd706513263 617 web optional ntlmaps_0.9.9.0.1-1.dsc
 7ee0a00d5446f39ebbe5f0f90465986e 55908 web optional 
ntlmaps_0.9.9.0.1.orig.tar.gz
 79cab5ff7950eceb8d61e258a555dc9f 16252 web optional ntlmaps_0.9.9.0.1-1.diff.gz
 aaa232397d396c7074d06dae4df0f32d 63484 web optional ntlmaps_0.9.9.0.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFExAq5ts5wQWQSTkoRAtI3AKCKreYQwIn4g9KxHpURS86OtFnLuQCfde37
LHAMMuog4vJ351VBzUOBlvo=
=+JuL
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to