Critical issue for authentication scheme

hnb · 2015-10-28 00:04:28

Hi,

when TSQLRestServerAuthenticationSSPI is registered (btw. it is always registered for authentication) then session_signature can be simple hacked (you only need to know the session ID) and secure authentication scheme (TSQLRestServerAuthenticationDefault) is deactivated. There is no difference for calling:

http://localhost:8888/root/person?session_signature=01b37766d9dd3a618c74e85b

or

http://localhost:8888/root/person?session_signature=01b37766

or

http://localhost:8888/root/person?session_signature=01b37766_HACKED_xD

because inside function TSQLRestServerURIContext.Authenticate is called RetrieveSession from TSQLRestServerAuthenticationURI (weak authentication scheme) so RetrieveSession from TSQLRestServerAuthenticationSignedURI has no meaning...

Second problem: RestServer.AuthenticationRegister don't work correctly. When it is called outside constructor then exception is raised.

best regards,
Maciej Izak

Last edited by hnb (2015-10-28 00:05:05)

hnb · 2015-11-02 07:29:03

http://blog.synopse.info/post/2013/06/0 … horization

Could you correct article (or add some warning)? "mORMot secure RESTful authentication" (TSQLRestServerAuthenticationDefault) does not exist when is set aHandleUserAuthentication parameter to true because TSQLRestServerAuthenticationSSPI is buggy as mentioned above.

Chaa · 2015-11-02 07:41:10

hnb wrote:

because inside function TSQLRestServerURIContext.Authenticate is called RetrieveSession from TSQLRestServerAuthenticationURI (weak authentication scheme) so RetrieveSession from TSQLRestServerAuthenticationSignedURI has no meaning...

RetrieveSession is virtual, and from Authenticate called TSQLRestServerAuthenticationSignedURI.RetrieveSession.
You can set breakpoint at RetrieveSession and see it yourself.

hnb · 2015-11-02 07:49:22

Yes it is called but RetrieveSession from TSQLRestServerAuthenticationSSPI is also called <- and this is the main problem (look at loop inside TSQLRestServerURIContext.Authenticate ).

hnb · 2015-11-02 07:55:33

Even if RetrieveSession from TSQLRestServerAuthenticationSignedURI will block invalid signature, RetrieveSession from TSQLRestServerAuthenticationSSPI will allow invalid signature.

Last edited by hnb (2015-11-02 08:21:49)

Chaa · 2015-11-02 08:27:37

hnb wrote:

Yes it is called but RetrieveSession from TSQLRestServerAuthenticationSSPI is also called

There is no RetrieveSession in TSQLRestServerAuthenticationSSPI, it's inherited from TSQLRestServerAuthenticationSignedURI.
On server side SSPI auth works indentically to TSQLRestServerAuthenticationSignedURI, except Auth call.

hnb wrote:

look at loop inside TSQLRestServerURIContext.Authenticate

TSQLRestServerAuthenticationSSPI and TSQLRestServerAuthenticationSignedURI works 100% indentically at that point.

hnb · 2015-11-02 08:52:31

There is RetrieveSession, TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI that contains RetrieveSession.

This loop inside TSQLRestServerURIContext.Authenticate will always pass invalid signature (invalid means session_signature='Hexa8(SessionID)'. It should pass only session_signature='Hexa8(SessionID)+Hexa8(TimeStamp)+Hexa8(...)' )

        for i := 0 to length(Server.fSessionAuthentication)-1 do begin
          aSession := Server.fSessionAuthentication[i].RetrieveSession(self);
          if aSession<>nil then begin

Server.fSessionAuthentication contains two items/objects one TSQLRestServerAuthenticationDefault and one TSQLRestServerAuthenticationSSPI.

For TSQLRestServerAuthenticationDefault object, "Server.fSessionAuthentication[0].RetrieveSession(self);" will return nil but for second TSQLRestServerAuthenticationSSPI object, "Server.fSessionAuthentication[1].RetrieveSession(self);" it will return object and now aSession <> nil.

So when you set aHandleUserAuthentication parameter to true for the TSQLRestServer, always is used weak authentication scheme (session_signature='Hexa8(SessionID)' instead of session_signature='Hexa8(SessionID)+Hexa8(TimeStamp)+Hexa8(...)' )

Last edited by hnb (2015-11-02 08:52:51)

Chaa · 2015-11-02 09:23:52

hnb wrote:

There is RetrieveSession, TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI that contains RetrieveSession.

You are right.

TSQLRestServerAuthenticationSSPI inherits from TSQLRestServerAuthenticationURI, but should be from TSQLRestServerAuthenticationSignedURI.

You can just change code, it works in my code version:

TSQLRestServerAuthenticationSSPI = class(TSQLRestServerAuthenticationSignedURI)

Check-in http://synopse.info/fossil/info/f1e7198954 modified base class for TSQLRestServerAuthenticationSSPI and broken session security.

We need to create ticket about that.

ab · 2015-11-02 10:38:29

Should be fixed by http://synopse.info/fossil/info/a336f3a127

Thanks for the feedback.

hnb · 2015-11-04 18:54:56

Thanks Chaa and ab! Now all works as expected

mORMot Open Source

#1 2015-10-28 00:04:28

Critical issue for authentication scheme

#2 2015-11-02 07:29:03

Re: Critical issue for authentication scheme

#3 2015-11-02 07:41:10

Re: Critical issue for authentication scheme

#4 2015-11-02 07:49:22

Re: Critical issue for authentication scheme

#5 2015-11-02 07:55:33

Re: Critical issue for authentication scheme

#6 2015-11-02 08:27:37

Re: Critical issue for authentication scheme

#7 2015-11-02 08:52:31

Re: Critical issue for authentication scheme

#8 2015-11-02 09:23:52

Re: Critical issue for authentication scheme

#9 2015-11-02 10:38:29

Re: Critical issue for authentication scheme

#10 2015-11-04 18:54:56

Re: Critical issue for authentication scheme

Board footer