Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

local hostname leak with NTLM authentication #8859

Closed
bestrocker221 opened this issue May 16, 2022 · 3 comments
Closed

local hostname leak with NTLM authentication #8859

bestrocker221 opened this issue May 16, 2022 · 3 comments
Labels
authentication not-a-curl-bug This is not a bug in curl

Comments

@bestrocker221
Copy link

Hi, I am pretty sure this is by design, but I do not see the real reason behind it.
While using curl with --ntlm or --negotiate, the local hostname is sent out to the server.

This is seen in the NTLMSSP_AUTH packet.

Is this really needed? If so, I would be delighted to learn the reason.
It seems a bit like an unnecessary information leak.

curl/libcurl version

curl 7.82.0 (x86_64-pc-linux-gnu) libcurl/7.82.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 zstd/1.4.9 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.11

operating system

Debian 5.16.14
@bestrocker221
Copy link
Author

This is probably seen here:

  /* Get the machine's un-qualified host name as NTLM doesn't like the fully
     qualified domain name */
  if(Curl_gethostname(host, sizeof(host))) {
    infof(data, "gethostname() failed, continuing without!");
    hostlen = 0;
  }

@bagder bagder added authentication not-a-curl-bug This is not a bug in curl labels May 17, 2022
@bagder
Copy link
Member

bagder commented May 17, 2022

The host name is passed in the auth messaging, by design. Are you proposing we should rather invent a fake name to pass on? I don't know how much checking of the host name is actually done by real world servers.

NTLM is a horrible thing. Don't use it.

@elms elms mentioned this issue May 17, 2022
Merged
@bestrocker221
Copy link
Author

I see that Firefox for example, sets the hostname to "WORKSTATION".
Quickly reading the protocol description, it does not mention the hostname we are referring to, the 'workstation name' can be optionally supplied, when using negotiate but also, that is not a default.

I did a couple of tests with the NTLM auth and a fake hostname and it does not seem to have any effect, also, the nmap ntlm enumeration script sets the hostname to "null", for example.

I think that setting the hostname to either "WORKSTATION" or "null" can be an option and would not leak by default the host hostname. Of course more testing is ideal. Just a thought.

Thanks for the work with curl!

bagder added a commit that referenced this issue May 20, 2022
@bagder
ntlm: provide a fixed fake host name
1c220e3 
The NTLM protocol includes providing the local host name, but apparently
other implementations already provide a fixed fake name instead to avoid
leaking the real local name.

The exact name used is 'curlhost', picked for convenience because this
is the hostname we've set and used in local test cases so with using
this we don't have to update tests!

Fixes #8859
Reported-by: Carlo Alberto
@bagder bagder mentioned this issue May 20, 2022
Closed
@bagder bagder closed this as completed in 709ae24 May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication not-a-curl-bug This is not a bug in curl
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ntlm: provide a fixed fake host name curl/curl
2 participants
@bagder @bestrocker221