FreeBSD Mail Archives

Date:      Sat, 7 Aug 2021 15:06:45 +0000
From:      Katherine Mcmillan <kmcmi046@uottawa.ca>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Message-ID:  <YTXPR0101MB12291D09D7F6F1D597CB4956E8F49@YTXPR0101MB1229.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <ab519dc0-7354-8e5-8855-ffea2534ea34@dereferenced.org>
References:  <Pine.BSM.4.64L.2108061711590.28219@herc.mirbsd.org> <20210807015102.ea4f5immh2l5ku4n@sym.noone.org> <Pine.BSM.4.64L.2108070210210.904@herc.mirbsd.org>, <ab519dc0-7354-8e5-8855-ffea2534ea34@dereferenced.org>

--_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

FYI

________________________________
From: Lynx-dev <lynx-dev-bounces+kmcmi046=3Duottawa.ca@nongnu.org> on behal=
f of Ariadne Conill <ariadne@dereferenced.org>
Sent: 07 August 2021 10:17
To: oss-security@lists.openwall.com <oss-security@lists.openwall.com>
Cc: Axel Beckert <abe@debian.org>; lynx-dev@nongnu.org <lynx-dev@nongnu.org=
>; security@debian.org <security@debian.org>; 991971@bugs.debian.org <99197=
1@bugs.debian.org>
Subject: Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate val=
idation -> leaks password in clear text via SNI (under some circumstances)

Attention : courriel externe | external email

Hi,

On Sat, 7 Aug 2021, Thorsten Glaser wrote:

> Axel Beckert dixit:
>
>> This is more severe than it initially looked like: Due to TLS Server
>> Name Indication (SNI) the hostname as parsed by Lynx (i.e with
>> "user:pass@" included) is sent in _clear_ text over the wire even
>
> I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT
> BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS
> BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT
> AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT
> NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS=85

It turns out SNI is only marginally related to this issue.  The issue
itself is far more severe: HTParse() does not understand the authn part of
the URI at all.  And so, when you call:

   HTParse("https://foo:bar@example.com", "", PARSE_HOST)

It returns:

   foo:bar@example.com

Which is then handed directly to SSL_set_tlsext_host_name() or
gnutls_server_name_set().  But it will also leak in the Host: header on
unencrypted connections, and also probably SSL ones too.

As a workaround, I taught HTParse() how to parse the authn part of URIs,
but Lynx itself needs to actually properly support the authn part really.

I have attached the patch Alpine is using to work around this infoleak.

Ariadne

--_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_
Content-Type: text/plain; name="fix-auth-data-leaks.patch"
Content-Description: fix-auth-data-leaks.patch
Content-Disposition: attachment; filename="fix-auth-data-leaks.patch";
	size=1480; creation-date="Sat, 07 Aug 2021 14:58:41 GMT";
	modification-date="Sat, 07 Aug 2021 14:58:41 GMT"
Content-ID: <e92e13a9-96ee-b63f-400-224ac73a16c@dereferenced.org>
Content-Transfer-Encoding: base64

LS0tIGx5bngyLjguOXJlbC4xLm9yaWcvV1dXL0xpYnJhcnkvSW1wbGVtZW50YXRpb24vSFRQYXJz
ZS5jDQorKysgbHlueDIuOC45cmVsLjEvV1dXL0xpYnJhcnkvSW1wbGVtZW50YXRpb24vSFRQYXJz
ZS5jDQpAQCAtMzEsNiArMzEsNyBAQA0KIA0KIHN0cnVjdCBzdHJ1Y3RfcGFydHMgew0KICAgICBj
aGFyICphY2Nlc3M7DQorICAgIGNoYXIgKmF1dGg7DQogICAgIGNoYXIgKmhvc3Q7DQogICAgIGNo
YXIgKmFic29sdXRlOw0KICAgICBjaGFyICpyZWxhdGl2ZTsNCkBAIC0xMjEsNiArMTIyLDE4IEBA
DQogICAgIH0NCiANCiAgICAgLyoNCisgICAgICogU2NhbiBsZWZ0LXRvLXJpZ2h0IGZvciBhbiBh
dXRoZW50aWNhdGlvbiB1c2VybmFtZS9wYXNzd29yZCBjb21iaW5hdGlvbiAoYXV0aCkuDQorICAg
ICAqLw0KKyAgICBmb3IgKHAgPSBhZnRlcl9hY2Nlc3M7ICpwOyBwKyspIHsNCisgICAgICAgaWYg
KCpwID09ICdAJykgew0KKyAgICAgICAgICAgcGFydHMtPmF1dGggPSBhZnRlcl9hY2Nlc3M7DQor
ICAgICAgICAgICAqcCA9ICdcMCc7DQorICAgICAgICAgICBhZnRlcl9hY2Nlc3MgPSAocCArIDEp
OyAvKiBhZHZhbmNlIGJhc2UgcG9pbnRlciBmb3J3YXJkICovDQorICAgICAgICAgICBicmVhazsN
CisgICAgICAgfQ0KKyAgICB9DQorDQorICAgIC8qDQogICAgICAqIFNjYW4gbGVmdC10by1yaWdo
dCBmb3IgYSBmcmFnbWVudCAoYW5jaG9yKS4NCiAgICAgICovDQogICAgIGZvciAocCA9IGFmdGVy
X2FjY2VzczsgKnA7IHArKykgew0KQEAgLTEzNSwxMCArMTQ4LDE0IEBADQogICAgICAqIFNjYW4g
bGVmdC10by1yaWdodCBmb3IgYSBob3N0IG9yIGFic29sdXRlIHBhdGguDQogICAgICAqLw0KICAg
ICBwID0gYWZ0ZXJfYWNjZXNzOw0KLSAgICBpZiAoKnAgPT0gJy8nKSB7DQotCWlmIChwWzFdID09
ICcvJykgew0KLQkgICAgcGFydHMtPmhvc3QgPSAocCArIDIpOwkvKiBob3N0IGhhcyBiZWVuIHNw
ZWNpZmllZCAgICAqLw0KLQkgICAgKnAgPSAnXDAnOwkJLyogVGVybWluYXRlIGFjY2VzcyAgICAg
ICAgICAgKi8NCisgICAgaWYgKCpwID09ICcvJyB8fCBwYXJ0cy0+YXV0aCkgew0KKwlpZiAocFsx
XSA9PSAnLycgfHwgcGFydHMtPmF1dGgpIHsNCisgICAgICAgICAgICBpZiAoIXBhcnRzLT5hdXRo
KSB7DQorCSAgICAgICAgIHBhcnRzLT5ob3N0ID0gKHAgKyAyKTsJLyogaG9zdCBoYXMgYmVlbiBz
cGVjaWZpZWQgICAgKi8NCisJICAgICAgICAgKnAgPSAnXDAnOwkJLyogVGVybWluYXRlIGFjY2Vz
cyAgICAgICAgICAgKi8NCisgICAgICAgICAgICB9IGVsc2Ugew0KKyAgICAgICAgICAgICAgICBw
YXJ0cy0+aG9zdCA9IHA7DQorICAgICAgICAgICAgfQ0KIAkgICAgcCA9IFN0ckNocihwYXJ0cy0+
aG9zdCwgJy8nKTsJLyogbG9vayBmb3IgZW5kIG9mIGhvc3QgbmFtZSBpZiBhbnkgKi8NCiAJICAg
IGlmIChwICE9IE5VTEwpIHsNCiAJCSpwID0gJ1wwJzsJLyogVGVybWluYXRlIGhvc3QgKi8NCg==

--_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_
Content-Type: text/plain; name="ATT00001.txt"
Content-Description: ATT00001.txt
Content-Disposition: attachment; filename="ATT00001.txt"; size=141;
	creation-date="Sat, 07 Aug 2021 14:58:41 GMT";
	modification-date="Sat, 07 Aug 2021 14:58:41 GMT"
Content-ID: <116A56E9982C424386FF09982B278E63@CANPRD01.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTHlueC1kZXYg
bWFpbGluZyBsaXN0Ckx5bngtZGV2QG5vbmdudS5vcmcKaHR0cHM6Ly9saXN0cy5ub25nbnUub3Jn
L21haWxtYW4vbGlzdGluZm8vbHlueC1kZXYK

--_005_YTXPR0101MB12291D09D7F6F1D597CB4956E8F49YTXPR0101MB1229_--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTXPR0101MB12291D09D7F6F1D597CB4956E8F49>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation