Full Disclosure mailing list archives
RE: Microsoft ISA Server Authentication Bypassing
From: "David Farinic" <davidf () gfi com>
Date: Wed, 3 Nov 2004 11:07:14 +0100
Vulnerability-Microsoft ISA Server Authentication Bypassing
-NOT TRUE. IT IS NOT ISA problem. You worked always with one instance of IExplore.exe which used same pre-authenticated http channels for all calls from different windows or processes. It might be seen as a problem only if IE COM IPC calls from DIFFERENT processes (with dif. Sec. credentials) to IE COM objects use same pre-authenticated http tcp/ip channels with proxy server. Regards 0x56058 P.S.: Next time pls mention also ISA,OS,IE versions. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Debasis Mohanty Sent: Tuesday, November 02, 2004 6:48 PM To: mail () hackingspirits com Subject: [Full-disclosure] Microsoft ISA Server Authentication Bypassing Vulnerability Microsoft ISA Server Authentication Bypassing Description This weakness is tested in a network environment where Microsoft ISA server is configured as an Internet proxy server and the users are required to provide appropriate user name and the password to access the internet. In HTTP 1.1, the Keep-Alive connections connection remains active unless the user closes the internet browser. In case of IE once the user closes all the open IE windows, the Keep-Alive sessions closes. Hence, every new IE opened will ask the user to enter UserID and Password to authenticate to the proxy server (if the proxy requires authentication). But there is a way to bypass this authorization. Since, IE caches the user's authorization details without asking the user and it can be reused by any malicious user even though all the IE window is closed to bypass the proxy authentication. I have tested this on MS Win2K as the client and MS ISA as the proxy server. Find below the details. There are two ways the user can access Internet in an authorised proxyed environment: Case 1 The user can save the password by selecting the "save password" option in the password dialog box and can use the same cached password to access internet. Each time the user opens a new IE window he/she will be prompted with the password dialog box where the cached password will appear to be in asterisk ("*") form. The users just have to press enter to visit the desired site. Case 2 In this case the user doesn't save the password and preferred to enter the password each time he/she opens a new IE window. Now the bug is there in both the cases but I shall talk about case 2 scenario where actually the password is not saved. In case 2, the user would be prompted with a password dialog box each time he/she opens a new IE window to browse any site. But this can be bypassed by using an existing session of a user with the ISA server. Most of the case the user's browser session with the ISA doesn't terminate unless the IE cache is cleaned properly. But here comes the bug where the attacker actually can make use of the existing browser's WWW-Authorization response of the previous user and can open multiple IE window and can browse sites of his/her choice without even entering any user name and password. What the malicious user has to do is to create a small html file with a link of the desired site. For example the malicious user wants to visit www.hackingspirits.com without authorization. Then the sample html file would look something like: ===== POC 1 ===== <h t m l> <title>Browse without authorization --- Sample script by hackingspirits.com </title> <b o d y> <a target="_blank" href="http://www.hackingspirits.com"> Click here to visit hackingspirits.com</a> </b o d y> </h t m l> ================= Now once the html file is created the malicious user has to open this file in an IE window and "right click" on the link and "open it in a new window". This would open the desired site in the new window without asking any "user name" or "password" even if the password is not cached. Once can also write a small Batch file to open a desired site without proper authorisation. Find the batch file below: ==== POC 2 ===== echo off echo Browse Internet without authorisation --- by hackingspirits.com. start /B "%ProgramFiles%\Internet Explorer\iexplore.exe" http://www.hackingspirits.com Exit ================ Note: But if the malicious tries to visit the same site by opening a new IE window then he/she will be prompted with a password dialog box which cannot be bypassed without authorization. Debasis Mohanty http://www.hackingspirits.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This mail was checked for malicious code and viruses by GFI MailSecurity. GFI MailSecurity provides email content checking, exploit detection, threats analysis and anti-virus for Exchange & SMTP servers. Viruses, Trojans, dangerous attachments and offensive content are removed automatically. Key features include: multiple virus engines; email content and attachment checking; an exploit shield; an HTML threats engine; a Trojan & Executable Scanner; and more. In addition to GFI MailSecurity, GFI also produces the GFI MailEssentials anti-spam software, the GFI FAXmaker fax server & GFI LANguard network security product ranges. For more information on our products, please visit http://www.gfi.com. This disclaimer was sent by GFI MailEssentials for Exchange/SMTP. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft ISA Server Authentication Bypassing Debasis Mohanty (Nov 02)
- <Possible follow-ups>
- RE: Microsoft ISA Server Authentication Bypassing David Farinic (Nov 03)