lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <C7FA36AFCE3E8D4298586892AC960E0D0443B4AD@RED-MSG-32.redmond.corp.microsoft.com> Date: Tue, 2 Nov 2004 16:15:49 -0800 From: "Jim Harrison (ISA)" <jmharr@...rosoft.com> To: <vuln-dev@...urityfocus.com>, <bugtraq@...urityfocus.com> Subject: RE: Microsoft ISA Server Authentication Bypassing Hi Debasis, You're a bit vague on the ISA configuration details (read: missing entirely). If you're in doubt about how to express this, use (ISA 2000) http://isatools.org.isainfo.vbe (ISA 2004) http://isatools.org/isainfo/isainfo.zip I'll address each case inline (pardon the <snip> in case 2; it's only there for brevity)... Jim Harrison MCP(NT4/2K), A+, Network+ Security Business Unit (ISA SE) "The last 10 years of Internet usage has disproven the theory that a million monkeys typing on a million typewriters would eventually produce the complete works of Shakespere. ..or maybe it only works for typewriters..." (unclaimed) -----Original Message----- From: Debasis Mohanty [mailto:mail@...kingspirits.com] Sent: Tuesday, November 02, 2004 9:48 AM To: mail@...kingspirits.com Subject: Microsoft ISA Server Authentication Bypassing Vulnerability Microsoft ISA Server Authentication Bypassing Description This weakness is tested in a network environment where Microsoft ISA server is configured as an Internet proxy server and the users are required to provide appropriate user name and the password to access the internet. [[JmHarr]] see "details" comment above. In HTTP 1.1, the Keep-Alive connections connection remains active unless the user closes the internet browser. In case of IE once the user closes all the open IE windows, the Keep-Alive sessions closes. Hence, every new IE opened will ask the user to enter UserID and Password to authenticate to the proxy server (if the proxy requires authentication). [[JmHarr]] Again; slim information. Depending on several configuration option combinations, ISA may actually close the initial connection when authentication is required. Got captures? But there is a way to bypass this authorization. Since, IE caches the user's authorization details without asking the user and it can be reused by any malicious user even though all the IE window is closed to bypass the proxy authentication. [[JmHarr]] Not clear on this concept; where is ISA involved with IE credentials caching? I have tested this on MS Win2K as the client and MS ISA as the proxy server. Find below the details. There are two ways the user can access Internet in an authorised proxyed environment: Case 1 The user can save the password by selecting the "save password" option in the password dialog box and can use the same cached password to access internet. Each time the user opens a new IE window he/she will be prompted with the password dialog box where the cached password will appear to be in asterisk ("*") form. The users just have to press enter to visit the desired site. [[JmHarr]] ISA no control client browser "features". Case 2 In this case the user doesn't save the password and preferred to enter the password each time he/she opens a new IE window. <snip> [[JmHarr]] Basically, you've only proven one thing: - Session-based authentication, HTTP proxy-keep-alives and browser "save my password" used together have their pitfalls. Note that case 2 requires the default IE setting of "reuse windows" and also assumes that the ISA default timeout hasn't expired for the current session. If you want to eliminate this behavior, set the ISA default web proxy timeout value to some ridiculously low setting like 1 second. This way, sessions will spend more time authenticating and less time functioning. Debasis Mohanty http://www.hackingspirits.com
Powered by blists - more mailing lists