Proxy Authentication Flaw

Wednesday, August 17, 2016 @ 12:08 PM gHale


There is a vulnerability that allows an attacker to gain a man-in-the-middle (MitM) position and intercept HTTPS traffic.

The attack is possible because of flaws in the implementation of proxy authentication procedures in various products, said researcher Jerry Decime, principal strategist and researcher at Hewlett Packard.

RELATED STORIES
‘Misbehaving’ Tor Nodes Found
Updated Tor Browser Releases
Exploit Kit Hides with Tor
Ransomware Masked as Rockwell Update

There is a flaw in how applications from several vendors respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses, Decime said.

This flaw manifests itself only in network environments where users utilize proxy connections to get online. This occurs in enterprise networks where companies deploy powerful firewalls.

Decime said an attacker in a compromised network and has the ability to listen to proxy traffic can sniff for HTTP CONNECT requests sent to the local proxy.

When the attacker detects one of these requests, they reply instead of the real proxy server and issue a 407 Proxy Authentication Required response, asking the user for a password to access a specific service.

Because the HTTP CONNECT requests end up unencrypted, the attacker knows when the victim wants to access sensitive accounts such as email or Intranet servers, even if those services are via HTTPS.

The attacker can force the user to authenticate, sending the responses to them instead. That is why the researchers came up with the FalseCONNECT moniker.

“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain,” a US-CERT alert said.

WebKit is in software such as Chrome, iTunes, Google Drive, Safari, and other mobile applications.

Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products suffer from the issue. Lenovo said this bug does not impact its software.

Technical details about this flaw are on a dedicated website. US-CERT has also issued an alert, in which users can track vendor responses for the FalseCONNECT vulnerability.