Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Sep 2013 10:34:46 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security@...ntu.com, chuck.short@...onical.com
Subject: cve requests for python-oauth2

Hello Kurt, all, I recently gave python-oauth2 a quick audit and believe
it needs three CVE entries:

- _check_signature() ignores the nonce value when validating signed urls

    def _check_signature(self, request, consumer, token):
        timestamp, nonce = request._get_timestamp_nonce()
        self._check_timestamp(timestamp)
        signature_method = self._get_signature_method(request)

        try:
            signature = request.get_parameter('oauth_signature')
        except:
            raise MissingSignature('Missing oauth_signature.')

        # Validate the signature.
        valid = signature_method.check(request, consumer, token, signature)

        if not valid:
            key, base = signature_method.signing_base(request, consumer, token)

            raise Error('Invalid signature. Expected signature base '
                'string: %s' % base)

Ignoring the nonce value enables replay attacks.

This appears to already be known (ignoring the misleading title):
https://github.com/simplegeo/python-oauth2/issues/129

- _check_timestamp() does not constrain how far into the future times may be,
  (also does not prevent negative times, but probably not relevant for a CVE)

    def _check_timestamp(self, timestamp):
        """Verify that timestamp is recentish."""
        timestamp = int(timestamp)
        now = int(time.time())
        lapsed = now - timestamp
        if lapsed > self.timestamp_threshold:
            raise Error('Expired timestamp: given %d and now %s has a '
                'greater difference than threshold %d' % (timestamp, now,
                    self.timestamp_threshold))

The timestamps are probably most useful to limit the number of nonces
that must be stored and compared but it seems generally useful to prevent
timestamps from the distant future from being allowed.


- make_nonce(), generate_nonce(), and generate_verifier() use a poor prng:

    @classmethod
    def make_nonce(cls):
        """Generate pseudorandom number."""
        return str(random.randint(0, 100000000))


    def generate_nonce(length=8):
        """Generate pseudorandom number."""
        return ''.join([str(random.randint(0, 9)) for i in range(length)])
    
    
    def generate_verifier(length=8):
        """Generate pseudorandom number."""
        return ''.join([str(random.randint(0, 9)) for i in range(length)])

Nonces may not need full-blown /dev/urandom but the Python 'random'
documentation clearly states the results are repeatable. The lack of
seeding in this module makes me think this is too weak for this use.

The safety of oauth depends upon the verifier being unguessable, and
this is both too short, with too few character choices, and probably
does need full-blown /dev/urandom style randomness.

The poor PRNG for the nonce has been known since 2010-04-24 (silly github, 
hover your _mouse pointer_ over the "3 years ago" text in the bug report):
https://github.com/simplegeo/python-oauth2/issues/9


Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.