You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2009/06/03 17:42:01 UTC
[SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-0580: Tomcat information disclosure vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.
Description:
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords. The attack is possible if
form based authenticiaton (j_security_check) with one of the following
authentication realms is used:
* MemoryRealm
* DataSourceRealm
* JDBCRealm
Mitigation:
6.0.x users should do one of the following:
- upgrade to 6.0.20
- apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev
5.5.x users should do one of the following:
- upgrade to 5.5.28 when released
- apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev
4.1.x users should do one of the following:
- upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev
Example:
The following POST request should trigger an error (500 server error or
empty response, depending on the configuration) if the ROOT web
application is configured to use FORM authentication:
POST /j_security_check HTTP/1.1
Host: localhost
j_username=tomcat&j_password=%
Credit:
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB
pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B
=a0AC
-----END PGP SIGNATURE-----
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rémy,
On 6/4/2009 1:04 PM, Rémy Maucherat wrote:
> On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> I don't see any information disclosure vulnerability in the first place,
>> and I don't see how your patch would have fixed it.
>>
>> ??!
>
> The behavior was different if the user is not found of if the password is wrong.
> (ok, the security issue is not exactly very serious)
To be sure, this is not very serious, but this method should return null
in all cases except for successful authentication. Under what conditions
would something non-null be returned if the authentication wasn't
successful?
I don't think an exception would be thrown, either, would it?
On 6/4/2009 2:06 PM, Len Popp wrote:
> It looks to me like the change fixes an NPE when a null or nonsense
> password is given.
That would certainly amount to an information disclosure, but I'm
reading the 5.5 trunk source
(http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java?revision=466608&pathrev=781379
: version just previous to the fix) and it looks like you'd get an NPE
whether the user was found in the database or not.
I suppose the argument could be made that sloppy credential handling
(that is, sloppy enough to allow an NPE) could possibly lead to such
information disclosure.
Time to go check-out securityfilter's source to see if we do this. Oh,
wait, we use Tomcat's realms :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoog3gACgkQ9CaO5/Lv0PC+eQCgnQAZd4epH+5myPBWea4AR8FC
RDoAoKOuCrFk+Pgc653p15qTkqC1kqVx
=tICL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration
vulnerability with FORM authentication
Posted by Rémy Maucherat <re...@gmail.com>.
On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> I don't see any information disclosure vulnerability in the first place,
> and I don't see how your patch would have fixed it.
>
> ??!
The behavior was different if the user is not found of if the password is wrong.
(ok, the security issue is not exactly very serious)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 6/5/2009 12:14 PM, Mark Thomas wrote:
> Christopher Schultz wrote:
>>> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
>>> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
>>> vulnerable.
>> I'm afraid I still don't understand the vulnerability in 5.5's
>> DataSourceRealm (the one I actually look at in detail): the NPE occurs
>> (in the unpatched code) regardless of the presence of a valid user(name).
>
> You need to go back to what the code looked like between 5.5.0 and
> 5.5.5. It was very different back then.
Apologies: it's noon and I'm still bleary-eyed. I was reading "5.5.0 -
5.5.5" as "5.0 - 5.5". The actual "fix" then truly occurred between
5.5.0 and 5.5.5 in the 5.5.x branch, and the most recent commit amounts
to both a performance optimization and triple-check that this type of
bug won't bite again anytime soon.
Thanks for clarifying (again).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkopRXAACgkQ9CaO5/Lv0PBnGgCeOaKePvSB7Xm05aFqt0cPO6sR
sGkAn19hZSb02h8jGnLtugt/3bIyZn0b
=tJvn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
>> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
>> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
>> vulnerable.
>
> I'm afraid I still don't understand the vulnerability in 5.5's
> DataSourceRealm (the one I actually look at in detail): the NPE occurs
> (in the unpatched code) regardless of the presence of a valid user(name).
You need to go back to what the code looked like between 5.5.0 and
5.5.5. It was very different back then.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 6/5/2009 7:03 AM, Mark Thomas wrote:
> Christopher Schultz wrote:
>> Mark,
>>
>> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>>> CVE-2009-0580: Tomcat information disclosure vulnerability
>> I know I'm likely to get a vague response, but could you provide some
>> more info about this issue?
>
> I'm sorry you have that impression. As I hope you see from this thread,
> the Tomcat security team is more than happy to discuss any vulnerability
> in detail once the vulnerability has been made public.
I'm sorry my comment came-off as annoyed or something like that. The
reason I made this "vague response" statement is because the last time I
asked about specifics of a particular security bugfix, you (I think)
said that the vulnerability was theoretical, the bugfix was basically to
prevent the possibility for exploitation, and that the vulnerability
wasn't directly demonstrable in the first place (which makes me question
the veracity of the claim in the first place).
I wasn't trying to be a troll.
Thanks for the response(s).
> You are correct that for the current DataSource and JDBC Realms that
> this is just a bug fix. However, for the MemoryRealm there is a test a
> line 150 that means the responses for a valid and invalid user when
> credentials are null are different. Valid users cause an NPE and a blank
> response. Invalid users get a login failed message.
Aah, I hadn't looked at MemoryRealm, specifically. I made the (foolish)
assumption that the changes in all the realms would be comparable.
> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
> vulnerable.
I'm afraid I still don't understand the vulnerability in 5.5's
DataSourceRealm (the one I actually look at in detail): the NPE occurs
(in the unpatched code) regardless of the presence of a valid user(name).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkopQG0ACgkQ9CaO5/Lv0PAiqwCbBS0d+QZ2rpRqE6ls0GrzgT74
CiQAoJVvXVC25ioMpzU/ZyP0EjcJ45rq
=w9Iy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
> Mark,
>
> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>> CVE-2009-0580: Tomcat information disclosure vulnerability
>
> I know I'm likely to get a vague response, but could you provide some
> more info about this issue?
I'm sorry you have that impression. As I hope you see from this thread,
the Tomcat security team is more than happy to discuss any vulnerability
in detail once the vulnerability has been made public.
>> j_username=tomcat&j_password=%
>
> I'm not sure how the patch (I read the patch for TC5.5
> DataSourceRealm.java) changes anything at all: it appears to be merely a
> performance optimization.
Not quite.
> No changes are made to the behavior of Tomcat, since the same null is
> returned to the caller if the credentials do not match.
If the credentials are null (eg a password via FORM auth with invalid
encoding) then there is an NPE. It is as a result of lines 332/334
(5.5.x, post patch). If credentials is null then digest(credentials) is
also null which results in an NPE when we try
digest(credentials).equals(...)
The NPE results isn't handled and results in a blank response back to
the client.
> I don't see any information disclosure vulnerability in the first place,
> and I don't see how your patch would have fixed it.
The patch stops this NPE from happening and ensures that users get a
"login failed" message rather than a blank screen.
You are correct that for the current DataSource and JDBC Realms that
this is just a bug fix. However, for the MemoryRealm there is a test a
line 150 that means the responses for a valid and invalid user when
credentials are null are different. Valid users cause an NPE and a blank
response. Invalid users get a login failed message.
For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
vulnerable.
I'll issue an update to the vulnerability notice to clarify this.
If you have any further questions, please do ask.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration
vulnerability with FORM authentication
Posted by Len Popp <le...@gmail.com>.
It looks to me like the change fixes an NPE when a null or nonsense
password is given. The NPE would allow an attacker to determine if a
username is valid (without having to know the password). Not the most
serious security breach, but login protocols aren't supposed to let
you guess usernames.
--
Len
On Thu, Jun 4, 2009 at 12:48, Christopher
Schultz<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 6/3/2009 11:42 AM, Mark Thomas wrote:
>> CVE-2009-0580: Tomcat information disclosure vulnerability
>
> I know I'm likely to get a vague response, but could you provide some
> more info about this issue?
>
>> Due to insufficient error checking in some authentication classes,
>> Tomcat allows for the enumeration (brute force testing) of usernames by
>> supplying illegally URL encoded passwords.
>
> [snip]
>
>> j_username=tomcat&j_password=%
>
> I'm not sure how the patch (I read the patch for TC5.5
> DataSourceRealm.java) changes anything at all: it appears to be merely a
> performance optimization.
>
> No changes are made to the behavior of Tomcat, since the same null is
> returned to the caller if the credentials do not match.
>
> I don't see any information disclosure vulnerability in the first place,
> and I don't see how your patch would have fixed it.
>
> ??!
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty
> MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk
> =iKFX
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability
with FORM authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 6/3/2009 11:42 AM, Mark Thomas wrote:
> CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
> Due to insufficient error checking in some authentication classes,
> Tomcat allows for the enumeration (brute force testing) of usernames by
> supplying illegally URL encoded passwords.
[snip]
> j_username=tomcat&j_password=%
I'm not sure how the patch (I read the patch for TC5.5
DataSourceRealm.java) changes anything at all: it appears to be merely a
performance optimization.
No changes are made to the behavior of Tomcat, since the same null is
returned to the caller if the credentials do not match.
I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would have fixed it.
??!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty
MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk
=iKFX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org