Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Client/Server application that does not authenticate users

From: "Dinis Cruz" <dinis () ddplus net>
Date: Sat, 14 Aug 2004 00:49:37 +0100
Then you can just write a little script to highjack (i.e. 'patch') that
function in the OS (or in the application's exe) and you will be able to
impersonate who ever you want without rebooting into another user.

This could also be used to do an automated brute force username attack
(since you don't need passwords)

Dinis Cruz
.Net Security Consultant 
DDPlus 


-----Original Message-----
From: Brian Erdelyi [mailto:brian_erdelyi () yahoo com]
Sent: 13 August 2004 23:41
To: Dinis Cruz
Subject: RE: Client/Server application that does not authenticate users

I had thought of this as well consider the application
makes use of environment viarables.  I did test and
confirmed it is not using the Windows environment
variable "USERNAME".

The vendor has reported thay use a WIN32 API called
GetUserName.


--- Dinis Cruz <dinis () ddplus net> wrote:


I knew of an web app that got the username for the
user variable "Username"

Guess what would happen in you typed in the client
workstation "Set
Username=Admin" :)

For guidelines check out the OWASP documents: Top 10
(http://www.owasp.org/documentation/topten.html),
Testing guide
(http://www.owasp.org/documentation/testing.html),
the ISO 17799 Project
(http://www.owasp.org/standards/iso17799.html) and
the app sec FAQ
(http://www.owasp.org/documentation/faq.html)

Hope this helps

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus



-----Original Message-----
From: Brian Erdelyi

[mailto:brian_erdelyi () yahoo com]

Sent: 13 August 2004 11:58
To: Dinis Cruz; pen-test () securityfocus com
Subject: RE: Client/Server application that does

not authenticate users


I am working with the vendor on this.

Unfortunately,

I was assured by the cendor that the application

does

authenticate users and uses accesscontrol lists to
assign permissions.  They claimed I was was using

an

uncommon interpretation of the term

"authentication".

The next level of support disagreed with my use of

the

term "vulnerability".

The server does ask for a username (the client
automatically forwards the Windows username of the
currently logged on computer) but no password is
requested or sent at any point.  This is by design

of

the application (which from my perspective is
seriously flawed for an application that allows

users

to sell and trade millions of dollars worth of

bonds).


I will give the vendor some time to analyse the
description I have provided to them and respond.

I'd like to provide some very specific suggestions

and

guidance on how other applications are designed

and

coded to authenticate users.

Is there an RFC on secure programming?



--- Dinis Cruz <dinis () ddplus net> wrote:


Quite common.

The other major mistake that most do is to rely

on

the Client's GUI to
enforce the 'security boundaries' of the client
application (for example:
they rely on the fact that the user's GUI

doesn't

have the functionality to
change passwords (including the administrators),

so

if such a request is
made it must be from a valid source....)

But, the big question is: "what happens next?"

Are they going to tell their customers that

their

data could had been (or
was) compromised?

Dinis Cruz
.Net Security Consultant
DDPlus





__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail









__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
Previous By Date Next
Previous By Thread Next

Current thread: