NetX HTTP Basic Authentication faulty behaviour

Hello everyone,

I've implemented a HTTPS webserver on S7G2 using SSP 2.2.0.

Webserver is running fine and answering all requests that I have sent from Google Chrome webbrowser.

Because authentication is required I have also enabled the NX_WEB_HTTP_BASIC_AUTHENTICATE for my webserver.

At first glance authentication seems to work fine:

Entering a wrong name or password lets authentication fail and webserver is requesting a new authentication.

After entering the correct name and password the authentication succeeds and permission to requested resources is granted.

So far so good.

Now I have realized that authentication can be "bypassed" by not entering any password.

After taking a look into the code of NetX function nx_web_http_server_basic_authenticate() it seems the while loop comparing names and passwords is faulty.

It seems the code is only checking if the actually received characters of name and password from client match the set characters of name and password from HTTP authentication callback but not checking if received name and password have different length from configured ones.

 

Heres a small example. This is my authentication callback:

UINT webserverAuthenticationCallback(NX_WEB_HTTP_SERVER *serverPtr, UINT requestType, CHAR *resourcePtr, CHAR **name, CHAR **password, CHAR **realm){
*name= const_cast<char*>("user");
*password= const_cast<char*>("password");
*realm= const_cast<char*>("my realm");

return(NX_WEB_HTTP_BASIC_AUTHENTICATE);
}

The following shows the results after trying to login to webserver:

Login with name "user" and password "password" succeeds.

Login with name "user" and password "wrong" fails.

Login with name "user" and password "pass" succeeds.

Login with name "user" and password "" (blank) succeeds too.

Am I missing something here or has anyone made some experiences with that behaviour?

Any help will be gladly appreciated.

Regards,

thors

Parents
  • Hi .

    It looks like a bug that we'll report. But did you implement your own logic to match the lengths? Let us know.

    Thanks,
    Jayesh

  • Hi ,

    thanks four your response.

    For now I have just added a quick verification to check that the submitted password is at least as big as the required password. Following code shows a snippet from the NetX function nx_web_http_server_basic_authenticate() where I added the code in green colour:

    ...
    /* Now compare the passwords. */
    j = 0;
    match = NX_TRUE;
    while (password_ptr[j] && (i < authorization_decoded_size))
    {

        /* Is there a mismatch? */
        if (password_ptr[j] != authorization_decoded[i])
        {

            /* Password mismatch. Continue to avoid timing attack. */
            match = NX_FALSE;
        }

        /* Move to next character. */
        i++;
        j++;
    }

    /* Bugfix: Verify that the size of received password is at least the size of required password. */
    if (strlen(password_ptr) != j) {
        match= NX_FALSE;
    }


    /* Determine if we have a match. */
    if (match && (i == authorization_decoded_size) && (authorization_decoded[i] == (CHAR) NX_NULL))
    {

        /* Yes, we have successful authorization!! */
        status = NX_SUCCESS;
    }
    ...

    Passwords exceeding the length of the required password will be detected by condition (authorization_decoded[i] == (CHAR) NX_NULL)) in if-statement.

    Best regards,
    thors

Reply
  • Hi ,

    thanks four your response.

    For now I have just added a quick verification to check that the submitted password is at least as big as the required password. Following code shows a snippet from the NetX function nx_web_http_server_basic_authenticate() where I added the code in green colour:

    ...
    /* Now compare the passwords. */
    j = 0;
    match = NX_TRUE;
    while (password_ptr[j] && (i < authorization_decoded_size))
    {

        /* Is there a mismatch? */
        if (password_ptr[j] != authorization_decoded[i])
        {

            /* Password mismatch. Continue to avoid timing attack. */
            match = NX_FALSE;
        }

        /* Move to next character. */
        i++;
        j++;
    }

    /* Bugfix: Verify that the size of received password is at least the size of required password. */
    if (strlen(password_ptr) != j) {
        match= NX_FALSE;
    }


    /* Determine if we have a match. */
    if (match && (i == authorization_decoded_size) && (authorization_decoded[i] == (CHAR) NX_NULL))
    {

        /* Yes, we have successful authorization!! */
        status = NX_SUCCESS;
    }
    ...

    Passwords exceeding the length of the required password will be detected by condition (authorization_decoded[i] == (CHAR) NX_NULL)) in if-statement.

    Best regards,
    thors

Children
No Data