Opened 5 years ago

Closed 5 years ago

#825 closed defect (worksforme)

NTLM option in upstream module allows authentication bypass

Reported by: pantsman0@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.9.x
Keywords: upstream ntlm authentication bypass Cc:
uname -a: Linux redacted.ap-southeast-2.compute.internal 2.6.32-573.7.1.el6.x86_64 #1 SMP Thu Sep 10 13:42:16 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.4 (nginx-plus-r7-p1)
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --build=nginx-plus-r7-p1 --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-threads --with-file-aio --with-ipv6 --with-stream --with-stream_ssl_module --with-http_f4f_module --with-http_session_log_module --with-http_hls_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

When using the upstream module with ntlm authentication, users are able to bypass authentication by inheriting a backend connection for an authenticated user.

Connnections from a connection pool should not be returned when using ntlm authentication, as users are authenticated against that socket.

This has been observed in all tested browsers.
Tested browsers are:

  • Chrome
  • Firefox
  • Internet Explorer 11
  • Microsoft Edge
  • Safari

All browsers are fully updated as of submission time.

Please find attached a sample configuration that imitates our testing environment where the issue occurs.

Attachments (1)

sample_ntlm_upstream.conf (636 bytes ) - added by pantsman0@… 5 years ago.
sample configuration file

Download all attachments as: .zip

Change History (9)

comment:1 by Roman Arutyunyan, 5 years ago

Please describe how do you observe the issue? In ntlm proxy mode nginx does not share upstream connection with other clients.

in reply to:  1 comment:2 by pantsman0@…, 5 years ago

The issue does not occur when you are actively accessing the site.

If user A and user B are using the site at the same time, they will both have their own connections with their own authentication.

However if user A accesses the site, closes their web browser, and then user B accesses the site, then it is possible ( even probable depending on the size of the backend pool) that user B will inherit user A's connection to the backend service.

This issue is exacerbated with quick access.
If I access the site from one PC, and then close the site, if I ask my coworker next to me to navigate to the site immediately after I close the site they will have a very high likelihood of inheriting my connection.

comment:3 by Roman Arutyunyan, 5 years ago

Your config obviously has wrong syntax - missing semicolons in the upstream{} block.

Please check you don't have a (forward) proxy between your office network and nginx. That proxy can keep an http keepalive connection to nginx. Also, please set up debug logging in nginx to see what's actually going on with client connections at nginx side.

by pantsman0@…, 5 years ago

Attachment: sample_ntlm_upstream.conf added

sample configuration file

comment:4 by nick, 5 years ago

NGINX Plus is fully supported software.

You can receive very quick response from our support team.
Please review your NGINX Support agreement and open a ticket.

If you don't have a support contract please contact your account manager.

in reply to:  3 comment:5 by pantsman0@…, 5 years ago

arut:
I have updated the sample configuration file to remove the typos
I ran the nginx server with the debug option on the error and access logs but I was unable to locate useful information. I will test over the weekend when there aren't users on the system.

nick:
The environment is using NGINX+ with an hourly license on AWS.
Does this configuration include support, or would we require a separate support contract for further direct support? I am invested in this as a bug-fix issue, but since a work around has been developed my employer wouldn't be particularly motivated to pay extra for this support.

comment:6 by Roman Arutyunyan, 5 years ago

Use logs to figure out if the second request belongs to the same nginx connection as the one it received NTLM authentication from. An nginx debug log entry usually has a connection id following an asterisk.

comment:7 by nick, 5 years ago

pantsman0,

You need to activate your NGINX Plus Support as described here:

https://www.nginx.com/resources/admin-guide/setting-nginx-plus-environment-amazon-ec2/

Please read and click on "AMI Support Activation" link, then follow the instructions to open the support case.

comment:8 by Maxim Dounin, 5 years ago

Resolution: worksforme
Status: newclosed

Feedback timeout. Please use support options provided if you still has problems with understanding how NTLM authentication works and how to configure it correctly.

Note: See TracTickets for help on using tickets.