[squid-users] Problems with helper ntlm_fake_auth

From: Vonlanthen, Elmar <Elmar.Vonlanthen_at_united-security-providers.ch>
Date: Mon, 7 Oct 2013 09:54:49 +0000

Hello all

There are some problems with the helper module ntlm_fake_auth. I did the tests with Squid-3.2.13 but 3.3.9 is affected as well.

The first problem is that the NTLM response header of type "TT" will be generated wrong.

This one has been generated with the new helper ntlm_fake_auth:
ntlm_fake_auth.cc(219): pid=29811 :sending 'TT' to squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010] 28 00 00 00 07 82 08 A2 CE 7D 62 FA 44 55 80 E0 ........ ..b.DU..
[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030] 50 P

And this one with the old helper fakeauth_auth (which is working):
ntlm-auth[31700](fakeauth_auth.c:421): sending 'TT' to squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 0A 00 0A 00 NTLMSSP. ........
[0010] 30 00 00 00 07 82 08 A2 7B E5 5C 0B 49 DB 6D 36 0....... ....I.m6
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 3A 00 00 00 ........ ........
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 ........ ....

It seems that the total length of the header has a wrong size and the char ":" (0x3a) will be placed in the field "reserved". The client doesn't accept the packet with the new response header and is sending a RST.

Now, if I tweak the header with setting authenticate_ntlm_domain to an empty string and tweaking the target value and payload, it is working (ugly workaround, I know):

diff -aur a/helpers/ntlm_auth/fake/ntlm_fake_auth.cc b/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
--- a/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2013-09-30 11:48:40.231386531 +0200
+++ b/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2013-10-01 10:28:07.727699795 +0200
@@ -96,7 +96,7 @@
 #define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);}
 #endif
                                                                                                                                                                                                               
-const char *authenticate_ntlm_domain = "WORKGROUP";
+const char *authenticate_ntlm_domain = "";
 int strip_domain_enabled = 0;
 int NTLM_packet_debug_enabled = 0;
                                                                                                                                                                                                               
@@ -209,8 +209,14 @@
             } else {
                 ntlm_make_challenge(&chal, authenticate_ntlm_domain, NULL, nonce, NTLM_NONCE_LEN, NTLM_NEGOTIATE_ASCII);
             }
+ // doesn't work with this:
             // TODO: find out what this context means, and why only the fake auth helper contains it.
- chal.context_high = htole32(0x003a<<16);
+ //chal.context_high = htole32(0x003a<<16);
+ // twead payload, offset and length to get it working:
+ chal.payload[4] = 0x3a;
+ chal.target.offset = 48;
+ chal.target.len = 10;
+ chal.target.maxlen = 18;
                                                                                                                                                                                                               
             len = sizeof(chal) - sizeof(chal.payload) + le16toh(chal.target.maxlen);
             data = (char *) base64_encode_bin((char *) &chal, len);

In the code there is a comment "TODO: find out what this context means...". I think there is really some work to do. ;-)

Another problem is the presentation of domain and username. First the domain was previously shown in uppercase. This could make problems with case sensitive acls:

diff -aur a/helpers/ntlm_auth/fake/ntlm_fake_auth.cc b/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
--- a/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2013-09-30 11:48:40.231386531 +0200
+++ b/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2013-10-01 10:28:07.727699795 +0200
@@ -226,7 +232,7 @@
             } else if (ntlm_validate_packet(packet, NTLM_AUTHENTICATE) == NTLM_ERR_NONE) {
                 if (ntlm_unpack_auth((ntlm_authenticate *)packet, user, domain, decodedLen) == NTLM_ERR_NONE) {
                     lc(user);
- lc(domain);
+ //lc(domain);
                     if (strip_domain_enabled) {
                         SEND2("AF %s", user);
                     } else {

And the last problem is a wrong specification of the string length for domain and username. The last char of each string is missing. The problem is that the string length will be initialized with -1:

diff -aur a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
--- a/lib/ntlmauth/ntlmauth.cc 2013-07-13 15:22:32.000000000 +0200
+++ b/lib/ntlmauth/ntlmauth.cc 2013-10-01 10:27:39.646919014 +0200
@@ -136,7 +136,7 @@
         /* UNICODE string */
         unsigned short *s = (unsigned short *)rv.str;
         rv.str = d = buf;
-
+ rv.l = 0;
         for (l >>= 1; l; s++, l--) {
             unsigned short c = le16toh(*s);
             if (c > 254 || c == '\0') {
@@ -151,6 +151,7 @@
         /* ASCII/OEM string */
         char *sc = rv.str;
                                                                                                                                                                                                               
+ rv.l = 0;
         for (; l>=0; sc++, l--) {
             if (*sc == '\0' || !xisprint(*sc)) {
                 fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);

Could check these problems and fix them?

Thank you very much.

Best regards
Elmar

Received on Mon Oct 07 2013 - 09:55:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT