Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

local hostname leak with NTLM authentication #8859

Closed
bestrocker221 opened this issue May 16, 2022 · 3 comments
Closed

local hostname leak with NTLM authentication #8859

bestrocker221 opened this issue May 16, 2022 · 3 comments

Comments

@bestrocker221
Copy link

@bestrocker221 bestrocker221 commented May 16, 2022

Hi, I am pretty sure this is by design, but I do not see the real reason behind it.
While using curl with --ntlm or --negotiate, the local hostname is sent out to the server.

This is seen in the NTLMSSP_AUTH packet.

Is this really needed? If so, I would be delighted to learn the reason.
It seems a bit like an unnecessary information leak.

curl/libcurl version

curl 7.82.0 (x86_64-pc-linux-gnu) libcurl/7.82.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 zstd/1.4.9 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.11

operating system

Debian 5.16.14

@bestrocker221
Copy link
Author

@bestrocker221 bestrocker221 commented May 16, 2022

This is probably seen here:

  /* Get the machine's un-qualified host name as NTLM doesn't like the fully
     qualified domain name */
  if(Curl_gethostname(host, sizeof(host))) {
    infof(data, "gethostname() failed, continuing without!");
    hostlen = 0;
  }

@bagder
Copy link
Member

@bagder bagder commented May 17, 2022

The host name is passed in the auth messaging, by design. Are you proposing we should rather invent a fake name to pass on? I don't know how much checking of the host name is actually done by real world servers.

NTLM is a horrible thing. Don't use it.

@bestrocker221
Copy link
Author

@bestrocker221 bestrocker221 commented May 18, 2022

I see that Firefox for example, sets the hostname to "WORKSTATION".
Quickly reading the protocol description, it does not mention the hostname we are referring to, the 'workstation name' can be optionally supplied, when using negotiate but also, that is not a default.

I did a couple of tests with the NTLM auth and a fake hostname and it does not seem to have any effect, also, the nmap ntlm enumeration script sets the hostname to "null", for example.

I think that setting the hostname to either "WORKSTATION" or "null" can be an option and would not leak by default the host hostname. Of course more testing is ideal. Just a thought.

Thanks for the work with curl!

bagder added a commit that referenced this issue May 20, 2022
The NTLM protocol includes providing the local host name, but apparently
other implementations already provide a fixed fake name instead to avoid
leaking the real local name.

The exact name used is 'curlhost', picked for convenience because this
is the hostname we've set and used in local test cases so with using
this we don't have to update tests!

Fixes #8859
Reported-by: Carlo Alberto
@bagder bagder closed this as completed in 709ae24 May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants