Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Christopher Schultz wrote: Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. j_username=tomcatj_password=% I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. Not quite. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. If the credentials are null (eg a password via FORM auth with invalid encoding) then there is an NPE. It is as a result of lines 332/334 (5.5.x, post patch). If credentials is null then digest(credentials) is also null which results in an NPE when we try digest(credentials).equals(...) The NPE results isn't handled and results in a blank response back to the client. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. The patch stops this NPE from happening and ensures that users get a login failed message rather than a blank screen. You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'll issue an update to the vulnerability notice to clarify this. If you have any further questions, please do ask. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/5/2009 7:03 AM, Mark Thomas wrote: Christopher Schultz wrote: Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. I'm sorry my comment came-off as annoyed or something like that. The reason I made this vague response statement is because the last time I asked about specifics of a particular security bugfix, you (I think) said that the vulnerability was theoretical, the bugfix was basically to prevent the possibility for exploitation, and that the vulnerability wasn't directly demonstrable in the first place (which makes me question the veracity of the claim in the first place). I wasn't trying to be a troll. Thanks for the response(s). You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. Aah, I hadn't looked at MemoryRealm, specifically. I made the (foolish) assumption that the changes in all the realms would be comparable. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopQG0ACgkQ9CaO5/Lv0PAiqwCbBS0d+QZ2rpRqE6ls0GrzgT74 CiQAoJVvXVC25ioMpzU/ZyP0EjcJ45rq =w9Iy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Christopher Schultz wrote: For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). You need to go back to what the code looked like between 5.5.0 and 5.5.5. It was very different back then. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/5/2009 12:14 PM, Mark Thomas wrote: Christopher Schultz wrote: For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). You need to go back to what the code looked like between 5.5.0 and 5.5.5. It was very different back then. Apologies: it's noon and I'm still bleary-eyed. I was reading 5.5.0 - 5.5.5 as 5.0 - 5.5. The actual fix then truly occurred between 5.5.0 and 5.5.5 in the 5.5.x branch, and the most recent commit amounts to both a performance optimization and triple-check that this type of bug won't bite again anytime soon. Thanks for clarifying (again). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopRXAACgkQ9CaO5/Lv0PBnGgCeOaKePvSB7Xm05aFqt0cPO6sR sGkAn19hZSb02h8jGnLtugt/3bIyZn0b =tJvn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. [snip] j_username=tomcatj_password=% I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk =iKFX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! The behavior was different if the user is not found of if the password is wrong. (ok, the security issue is not exactly very serious) Rémy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
It looks to me like the change fixes an NPE when a null or nonsense password is given. The NPE would allow an attacker to determine if a username is valid (without having to know the password). Not the most serious security breach, but login protocols aren't supposed to let you guess usernames. -- Len On Thu, Jun 4, 2009 at 12:48, Christopher Schultzch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. [snip] j_username=tomcatj_password=% I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk =iKFX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rémy, On 6/4/2009 1:04 PM, Rémy Maucherat wrote: On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! The behavior was different if the user is not found of if the password is wrong. (ok, the security issue is not exactly very serious) To be sure, this is not very serious, but this method should return null in all cases except for successful authentication. Under what conditions would something non-null be returned if the authentication wasn't successful? I don't think an exception would be thrown, either, would it? On 6/4/2009 2:06 PM, Len Popp wrote: It looks to me like the change fixes an NPE when a null or nonsense password is given. That would certainly amount to an information disclosure, but I'm reading the 5.5 trunk source (http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?revision=466608pathrev=781379 : version just previous to the fix) and it looks like you'd get an NPE whether the user was found in the database or not. I suppose the argument could be made that sloppy credential handling (that is, sloppy enough to allow an NPE) could possibly lead to such information disclosure. Time to go check-out securityfilter's source to see if we do this. Oh, wait, we use Tomcat's realms :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoog3gACgkQ9CaO5/Lv0PC+eQCgnQAZd4epH+5myPBWea4AR8FC RDoAoKOuCrFk+Pgc653p15qTkqC1kqVx =tICL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org