Bug #63736 for Authen-Perl-NTLM: Bug in NTLM challenge generation

Wed Dec 08 07:06:32 2010 http://pootek.pip.verisignlabs.com/ - Ticket created

Subject:

Bug in NTLM challenge generation

Wrong domain-length is being put in challenge message. Currently it's computed as length($domain) but it should be length of unicoded domain (2xlonger usually). I attached the patch to fix this problem. Tested it and it's working for me. Tested it on: 1. CentOS i386 2.6.18, perl 5.8.8, package version 0.12 2. WinXP x86, ActivePerl 5.8.9, package version 0.12 In order to observe the problem one can use some packet sniffer (I used Wireshark) and watch how it parsed "domain" field in NTLMSSP part of generated WWW-Authenticate header. Cheers

Subject:

NTLM.patch

--- /root/NTLM.pm 2010-12-08 12:00:06.000000000 +0100 +++ NTLM.pm 2010-12-08 12:02:33.000000000 +0100 @@ -241,16 +241,17 @@ my ($self) = @_; my $flags = pack("V", $_[1]); my $domain = $self->{'domain'}; + my $udomain = unicodify($domain); my $msg = NTLMSSP_SIGNATURE . chr(0); $self->{'cChallenge'} += 0x100; $msg .= pack("V", NTLMSSP_CHALLENGE); - $msg .= pack("v", length($domain)) . pack("v", length($domain)) . pack("V", 48); + $msg .= pack("v", length($udomain)) . pack("v", length($udomain)) . pack("V", 48); $msg .= $flags; $msg .= compute_nonce($self->{'cChallenge'}); $msg .= pack("VV", 0, 0); # 8 bytes of reserved 0s $msg .= pack("V", 0); # ServerContextHandleLower $msg .= pack("V", 0x3c); # ServerContextHandleUpper - $msg .= unicodify($domain); + $msg .= $udomain; return $msg; }

Sat Dec 18 03:51:28 2010 ymc [...] yahoo.com - Correspondence added

Subject:	Re: [rt.cpan.org #63736] Bug in NTLM challenge generation
Date:	Sat, 18 Dec 2010 00:51:20 -0800 (PST)
To:	bug-Authen-Perl-NTLM [...] rt.cpan.org
From:	Yee Man Chan <ymc [...] yahoo.com>

Can someone patch this for me??? Thanks Yee Man --- On Wed, 12/8/10, http://pootek.pip.verisignlabs.com/ via RT <bug-Authen-Perl-NTLM@rt.cpan.org> wrote: Show quoted text

> From: http://pootek.pip.verisignlabs.com/ via RT <bug-Authen-Perl-NTLM@rt.cpan.org> > Subject: [rt.cpan.org #63736] Bug in NTLM challenge generation > To: > Date: Wednesday, December 8, 2010, 4:06 AM > Wed Dec 08 07:06:32 2010: Request > 63736 was acted upon. > Transaction: Ticket created by http://pootek.pip.verisignlabs.com/ > Queue: Authen-Perl-NTLM > Subject: Bug in NTLM challenge > generation > Broken in: 0.01, 0.02, 0.03, 0.04, 0.10, > 0.11, 0.12 > Severity: Important > Owner: Nobody > Requestors: pootek@tlen.pl > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=63736 > > > > Wrong domain-length is being put in challenge message. > Currently it's > computed as length($domain) but it should be length of > unicoded domain > (2xlonger usually). > I attached the patch to fix this problem. Tested it and > it's working for me. > Tested it on: > 1. CentOS i386 2.6.18, perl 5.8.8, package version 0.12 > 2. WinXP x86, ActivePerl 5.8.9, package version 0.12 > > In order to observe the problem one can use some packet > sniffer (I used > Wireshark) and watch how it parsed "domain" field in > NTLMSSP part of > generated WWW-Authenticate header. > > Cheers > >

Sat Dec 18 03:51:29 2010 The RT System itself - Status changed from 'new' to 'open'