RE: Microsoft ISA Server Authentication Bypassing

["Jim Harrison (ISA)" <jmharr () microsoft com>]

Hi Debasis,

You're a bit vague on the ISA configuration details (read: missing
entirely).
If you're in doubt about how to express this, use 
(ISA 2000) http://isatools.org.isainfo.vbe
(ISA 2004) http://isatools.org/isainfo/isainfo.zip 

I'll address each case inline (pardon the <snip> in case 2; it's only
there for brevity)...

Jim Harrison 
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The last 10 years of Internet usage has disproven 
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespere.  ..or maybe it only works for
typewriters..."
(unclaimed)

-----Original Message-----
From: Debasis Mohanty [mailto:mail () hackingspirits com] 
Sent: Tuesday, November 02, 2004 9:48 AM
To: mail () hackingspirits com
Subject: Microsoft ISA Server Authentication Bypassing

Vulnerability
Microsoft ISA Server Authentication Bypassing

Description
This weakness is tested in a network environment where Microsoft ISA
server is configured as an Internet proxy server and the users are
required to provide appropriate user name and the password to access the
internet. 

[[JmHarr]] see "details" comment above.

In HTTP 1.1, the Keep-Alive connections connection remains active unless
the user closes the internet browser. In case of IE once the user closes
all the open IE windows, the Keep-Alive sessions closes. Hence, every
new IE opened will ask the user to enter UserID and Password to
authenticate to the proxy server (if the proxy requires authentication).

[[JmHarr]] Again; slim information.  Depending on several configuration
option combinations, ISA may actually close the initial connection when
authentication is required.  Got captures?

But there is a way to bypass this authorization. Since, IE caches the
user's authorization details without asking the user and it can be
reused by any malicious user even though all the IE window is closed to
bypass the proxy authentication.

[[JmHarr]] Not clear on this concept; where is ISA involved with IE
credentials caching?

I have tested this on MS Win2K as the client and MS ISA as the proxy
server. Find below the details.  


There are two ways the user can access Internet in an authorised proxyed
environment:

Case 1
The user can save the password by selecting the "save password" option
in the password dialog box and can use the same cached password to
access internet. Each time the user opens a new IE window he/she will be
prompted with the password dialog box where the cached password will
appear to be in asterisk ("*") form. The users just have to press enter
to visit the desired site.  

[[JmHarr]] ISA no control client browser "features".

Case 2
In this case the user doesn't save the password and preferred to enter
the password each time he/she opens a new IE window. 

<snip>
[[JmHarr]] Basically, you've only proven one thing:
- Session-based authentication, HTTP proxy-keep-alives and browser "save
my password" used together have their pitfalls.
Note that case 2 requires the default IE setting of "reuse windows" and
also assumes that the ISA default timeout hasn't expired for the current
session.
If you want to eliminate this behavior, set the ISA default web proxy
timeout value to some ridiculously low setting like 1 second.
This way, sessions will spend more time authenticating and less time
functioning.

Debasis Mohanty
http://www.hackingspirits.com