[REVS] NTLM HTTP Authentication is Insecure By Design

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  NTLM HTTP Authentication is Insecure By Design
------------------------------------------------------------------------


SUMMARY

In "Meanwhile on the other side of the webserver" Amit surveyed some 
possible attacks against a scenario wherein a proxy server is positioned 
in front of a web server, and that proxy server shares a single TCP 
connection to the server among several clients. In that write-up, Amit 
mentioned several problems related to HTTP Request Smuggling ( 
<http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf> 
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) and HTTP 
Response Splitting ( 
<http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf> 
http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf).

These are attacks that make use of non-RFC HTTP requests (HTTP Request 
Smuggling) or inject unexpected data (CRLF) through the application into 
the HTTP response stream (HTTP Response Splitting). In contrast, this 
write-up discusses a completely different problem, one which is inherent 
to the situation of a connection-oriented authentication/authorization 
protocol (e.g. NTLM authentication) used with a proxy server that shares 
TCP connections among several clients. Exploiting this vulnerability can 
be performed with 100% RFC compliant HTTP requests, and without attacking 
the application (i.e. without sending malicious data to the application).

DETAILS

Theory
In connection oriented security, the authentication is associated with the 
TCP connection, rather than to the individual HTTP requests it transports. 
As a result, a proxy server that shares a TCP connection to the server 
among 2 clients may jeopardize the security of the web application by 
sending a first request (or a set of requests) with authentication / 
authorization credentials from the first client, followed by a request 
with no credentials from the second client, and have the web server 
associate the privileges of the first request with the second request.

NTLM authentication is an example to such connection-oriented security 
scheme.