#1 2015-10-28 00:04:28

hnb
Member
Registered: 2015-06-15
Posts: 290

Critical issue for authentication scheme

Hi,

when TSQLRestServerAuthenticationSSPI is registered (btw. it is always registered for authentication) then session_signature can be simple hacked (you only need to know the session ID) and secure authentication scheme (TSQLRestServerAuthenticationDefault) is deactivated. There is no difference for calling:

http://localhost:8888/root/person?session_signature=01b37766d9dd3a618c74e85b

or

http://localhost:8888/root/person?session_signature=01b37766

or

http://localhost:8888/root/person?session_signature=01b37766_HACKED_xD

because inside function TSQLRestServerURIContext.Authenticate is called RetrieveSession from TSQLRestServerAuthenticationURI (weak authentication scheme) so RetrieveSession from TSQLRestServerAuthenticationSignedURI has no meaning...

Second problem: RestServer.AuthenticationRegister don't work correctly. When it is called outside constructor then exception is raised.

best regards,
Maciej Izak

Last edited by hnb (2015-10-28 00:05:05)


best regards,
Maciej Izak

Offline

#2 2015-11-02 07:29:03

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Critical issue for authentication scheme

http://blog.synopse.info/post/2013/06/0 … horization

Could you correct article (or add some warning)? "mORMot secure RESTful authentication" (TSQLRestServerAuthenticationDefault) does not exist  when is set aHandleUserAuthentication parameter to true because TSQLRestServerAuthenticationSSPI is buggy as mentioned above.


best regards,
Maciej Izak

Offline

#3 2015-11-02 07:41:10

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: Critical issue for authentication scheme

hnb wrote:

because inside function TSQLRestServerURIContext.Authenticate is called RetrieveSession from TSQLRestServerAuthenticationURI (weak authentication scheme) so RetrieveSession from TSQLRestServerAuthenticationSignedURI has no meaning...

RetrieveSession is virtual, and from Authenticate called TSQLRestServerAuthenticationSignedURI.RetrieveSession.
You can set breakpoint at RetrieveSession and see it yourself.

RetrieveSession.png

Offline

#4 2015-11-02 07:49:22

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Critical issue for authentication scheme

Yes it is called but RetrieveSession from TSQLRestServerAuthenticationSSPI is also called <- and this is the main problem (look at loop inside TSQLRestServerURIContext.Authenticate ).


best regards,
Maciej Izak

Offline

#5 2015-11-02 07:55:33

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Critical issue for authentication scheme

Even if RetrieveSession from TSQLRestServerAuthenticationSignedURI will block invalid signature, RetrieveSession from TSQLRestServerAuthenticationSSPI will allow invalid signature.

Last edited by hnb (2015-11-02 08:21:49)


best regards,
Maciej Izak

Offline

#6 2015-11-02 08:27:37

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: Critical issue for authentication scheme

hnb wrote:

Yes it is called but RetrieveSession from TSQLRestServerAuthenticationSSPI is also called

There is no RetrieveSession in TSQLRestServerAuthenticationSSPI, it's inherited from TSQLRestServerAuthenticationSignedURI.
On server side SSPI auth works indentically to TSQLRestServerAuthenticationSignedURI, except Auth call.

hnb wrote:

look at loop inside TSQLRestServerURIContext.Authenticate

TSQLRestServerAuthenticationSSPI and TSQLRestServerAuthenticationSignedURI works 100% indentically at that point.

Offline

#7 2015-11-02 08:52:31

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Critical issue for authentication scheme

There is RetrieveSession, TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI that contains RetrieveSession.

This loop inside TSQLRestServerURIContext.Authenticate will always pass invalid signature (invalid means session_signature='Hexa8(SessionID)'. It should pass only session_signature='Hexa8(SessionID)+Hexa8(TimeStamp)+Hexa8(...)' )

        for i := 0 to length(Server.fSessionAuthentication)-1 do begin
          aSession := Server.fSessionAuthentication[i].RetrieveSession(self);
          if aSession<>nil then begin

Server.fSessionAuthentication contains two items/objects one TSQLRestServerAuthenticationDefault and one TSQLRestServerAuthenticationSSPI.

For TSQLRestServerAuthenticationDefault object, "Server.fSessionAuthentication[0].RetrieveSession(self);" will return nil but for second TSQLRestServerAuthenticationSSPI object, "Server.fSessionAuthentication[1].RetrieveSession(self);" it will return object and now aSession <> nil.

So when you set aHandleUserAuthentication parameter to true for the TSQLRestServer, always is used weak authentication scheme (session_signature='Hexa8(SessionID)' instead of session_signature='Hexa8(SessionID)+Hexa8(TimeStamp)+Hexa8(...)' )

Last edited by hnb (2015-11-02 08:52:51)


best regards,
Maciej Izak

Offline

#8 2015-11-02 09:23:52

Chaa
Member
Registered: 2011-03-26
Posts: 249

Re: Critical issue for authentication scheme

hnb wrote:

There is RetrieveSession, TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI that contains RetrieveSession.

You are right.

TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI, but should be from TSQLRestServerAuthenticationSignedURI.

You can just change code, it works in my code version:

TSQLRestServerAuthenticationSSPI = class(TSQLRestServerAuthenticationSignedURI)

Check-in http://synopse.info/fossil/info/f1e7198954 modified base class for TSQLRestServerAuthenticationSSPI and broken session security.

We need to create ticket about that.

Offline

#9 2015-11-02 10:38:29

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,664
Website

Re: Critical issue for authentication scheme

Should be fixed by http://synopse.info/fossil/info/a336f3a127

Thanks for the feedback.

Offline

#10 2015-11-04 18:54:56

hnb
Member
Registered: 2015-06-15
Posts: 290

Re: Critical issue for authentication scheme

Thanks Chaa and ab! Now all works as expected smile


best regards,
Maciej Izak

Offline

Board footer

Powered by FluxBB