-
Type: Bug
-
Resolution: Works as Designed
-
Priority: Major - P3
-
None
-
Affects Version/s: 7.0.11
-
Component/s: None
-
Server Security
-
ALL
-
-
Security 2024-09-02
There is a bug in the implementation of SCRAM-SHA-1 authentication.
This bug is present in both the server and and driver libraries, thus tools appear to work as expected.
BUT one should note that a bug in SHA-1 hashing algorithm is a security vulnerability.
NOTE: SCRAM-SHA-256 works as expected.
I have used Wire shark to extract the messages sent between `mongosh` and `mongodb` and have verified that the "proof" part of the message is incorrectly calculated for `SHA-1` authentication.
NOTE: Because the Mongo Server and the Client libraries both contain the bug authentication appears to work.
I have compares the generated proofs from mongosh against C++ and python libraries. The C++ and python libraries (not using the Mongo drivers) generate the same proof messages that are different to the proof message generated by mongosh.
Example:
Binary dump of message sent from mongosh to Mongo
# Message 1: Mongosh => Mongo
# This is an AuthInit Message with
# saslStart = 1
0000 02 00 00 00 45 00 00 f9 00 00 40 00 40 06 00 00 ....E.....@.@...
0010 7f 00 00 01 7f 00 00 01 c5 26 69 89 6f be c5 22 .........&i.o.."
0020 05 d0 da 1c 80 18 18 e5 fe ed 00 00 01 01 08 0a ................
0030 3f fc 80 f0 56 de bd 85 c5 00 00 00 03 00 00 00 ?...V...........
0040 00 00 00 00 dd 07 00 00 00 00 00 00 00 b0 00 00 ................
0050 00 10 73 61 73 6c 53 74 61 72 74 00 01 00 00 00 ..saslStart.....
0060 02 6d 65 63 68 61 6e 69 73 6d 00 0c 00 00 00 53 .mechanism.....S
0070 43 52 41 4d 2d 53 48 41 2d 31 00 05 70 61 79 6c CRAM-SHA-1..payl
0080 6f 61 64 00 30 00 00 00 00 6e 2c 2c 6e 3d 74 65 oad.0....n,,n=te
0090 73 74 53 68 61 31 2c 72 3d 5a 31 4d 4d 64 75 66 stSha1,r=Z1MMduf
00a0 57 51 2b 7a 38 4f 30 73 65 6b 67 6e 70 71 4a 66 WQ+z8O0sekgnpqJf
00b0 32 48 30 45 4e 33 73 6c 47 10 61 75 74 6f 41 75 2H0EN3slG.autoAu
00c0 74 68 6f 72 69 7a 65 00 01 00 00 00 03 6f 70 74 thorize......opt
00d0 69 6f 6e 73 00 19 00 00 00 08 73 6b 69 70 45 6d ions......skipEm
00e0 70 74 79 45 78 63 68 61 6e 67 65 00 01 00 02 24 ptyExchange....$
00f0 64 62 00 05 00 00 00 74 65 73 74 00 00 db.....test..---------
# Message 2: Mongo => Mongosh
# This is the reply to the AuthInit message.
# It contains the SCRAM-SHA-1 server response.
0000 02 00 00 00 45 00 00 e8 00 00 40 00 40 06 00 00 ....E.....@.@...
0010 7f 00 00 01 7f 00 00 01 69 89 c5 26 05 d0 da 1c ........i..&....
0020 6f be c5 e7 80 18 18 df fe dc 00 00 01 01 08 0a o...............
0030 56 de bd 87 3f fc 80 f0 b4 00 00 00 fc 00 00 00 V...?...........
0040 03 00 00 00 dd 07 00 00 00 00 00 00 00 9f 00 00 ................
0050 00 10 63 6f 6e 76 65 72 73 61 74 69 6f 6e 49 64 ..conversationId
0060 00 01 00 00 00 08 64 6f 6e 65 00 00 05 70 61 79 ......done...pay
0070 6c 6f 61 64 00 65 00 00 00 00 72 3d 5a 31 4d 4d load.e....r=Z1MM
0080 64 75 66 57 51 2b 7a 38 4f 30 73 65 6b 67 6e 70 dufWQ+z8O0sekgnp
0090 71 4a 66 32 48 30 45 4e 33 73 6c 47 43 6c 35 41 qJf2H0EN3slGCl5A
00a0 4a 55 54 78 32 7a 67 44 50 62 31 5a 41 6c 45 44 JUTx2zgDPb1ZAlED
00b0 6d 39 58 37 67 2b 42 4d 6a 77 58 74 2c 73 3d 35 m9X7g+BMjwXt,s=5
00c0 71 6f 62 41 52 46 31 34 38 52 59 34 70 75 68 73 qobARF148RY4puhs
00d0 51 4f 6b 53 67 3d 3d 2c 69 3d 31 30 30 30 30 01 QOkSg==,i=10000.
00e0 6f 6b 00 00 00 00 00 00 00 f0 3f 00 ok........?.---------
- Message 3: Mongosh => Mongo
# The is the AuthCont message.
# This contains the computer proof from the client
# to show that it knows the users password.
0000 02 00 00 00 45 00 00 f8 00 00 40 00 40 06 00 00 ....E.....@.@...
0010 7f 00 00 01 7f 00 00 01 c5 26 69 89 6f be c5 e7 .........&i.o...
0020 05 d0 da d0 80 18 18 e3 fe ec 00 00 01 01 08 0a ................
0030 3f fc 80 f5 56 de bd 87 c4 00 00 00 04 00 00 00 ?...V...........
0040 00 00 00 00 dd 07 00 00 00 00 00 00 00 af 00 00 ................
0050 00 10 73 61 73 6c 43 6f 6e 74 69 6e 75 65 00 01 ..saslContinue..
0060 00 00 00 10 63 6f 6e 76 65 72 73 61 74 69 6f 6e ....conversation
0070 49 64 00 01 00 00 00 05 70 61 79 6c 6f 61 64 00 Id......payload.
0080 68 00 00 00 00 63 3d 62 69 77 73 2c 72 3d 5a 31 h....c=biws,r=Z1
0090 4d 4d 64 75 66 57 51 2b 7a 38 4f 30 73 65 6b 67 MMdufWQ+z8O0sekg
00a0 6e 70 71 4a 66 32 48 30 45 4e 33 73 6c 47 43 6c npqJf2H0EN3slGCl
00b0 35 41 4a 55 54 78 32 7a 67 44 50 62 31 5a 41 6c 5AJUTx2zgDPb1ZAl
00c0 45 44 6d 39 58 37 67 2b 42 4d 6a 77 58 74 2c 70 EDm9X7g+BMjwXt,p
00d0 3d 6a 4c 6d 4f 55 48 6d 58 51 63 67 31 46 65 30 =jLmOUHmXQcg1Fe0
00e0 6a 6d 55 63 31 48 69 6a 44 4d 78 77 3d 02 24 64 jmUc1HijDMxw=.$d
00f0 62 00 05 00 00 00 74 65 73 74 00 00 b.....test..---------
# Message 4: Mongo -> Mongosh
# Reply with the validation code.
# So the client knows that the server also knows the
# password.
0000 02 00 00 00 45 00 00 a1 00 00 40 00 40 06 00 00 ....E.....@.@...
0010 7f 00 00 01 7f 00 00 01 69 89 c5 26 05 d0 da d0 ........i..&....
0020 6f be c6 ab 80 18 18 dc fe 95 00 00 01 01 08 0a o...............
0030 56 de bd 8a 3f fc 80 f5 6d 00 00 00 fd 00 00 00 V...?...m.......
0040 04 00 00 00 dd 07 00 00 00 00 00 00 00 58 00 00 .............X..
0050 00 10 63 6f 6e 76 65 72 73 61 74 69 6f 6e 49 64 ..conversationId
0060 00 01 00 00 00 08 64 6f 6e 65 00 01 05 70 61 79 ......done...pay
0070 6c 6f 61 64 00 1e 00 00 00 00 76 3d 78 2b 5a 77 load......v=x+Zw
0080 77 48 41 43 61 44 4f 36 4b 6b 38 47 2f 4b 37 4a wHACaDO6Kk8G/K7J
0090 76 67 58 34 47 4d 73 3d 01 6f 6b 00 00 00 00 00 vgX4GMs=.ok.....
00a0 00 00 f0 3f 00 ...?.
From message 1: we can find the payload as:
n,,n=testSha1,r=Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slG
From message 2: we can find the payload as:
r=Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slGCl5AJUTx2zgDPb1ZAlEDm9X7g+BMjwXt,s=5qobARF148RY4puhsQOkSg==,i=10000
Using the standard SCRAM-SHA-1 algorithm using the following values:
- Username: testSha1
- Password: passwordSha1
- Nonce: Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slG
- Server Reply: r=Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slGCl5AJUTx2zgDPb1ZAlEDm9X7g+BMjwXt,s=5qobARF148RY4puhsQOkSg==,i=10000
We can compute that the expected response should be (When using non Mongo based tools. Application provided below to help).
c=biws,r=Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slGCl5AJUTx2zgDPb1ZAlEDm9X7g+BMjwXt,p=bCrqdhlgFjdEhR0HIifUPK0RQV0=
But the message extracted from the third message is:
c=biws,r=Z1MMdufWQ+z8O0sekgnpqJf2H0EN3slGCl5AJUTx2zgDPb1ZAlEDm9X7g+BMjwXt,p=jLmOUHmXQcg1Fe0jmUc1HijDMxw=
Notice that the proof section is different:
- Expected: p=bCrqdhlgFjdEhR0HIifUPK0RQV0=
- Actual: p=jLmOUHmXQcg1Fe0jmUc1HijDMxw=