From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Microsoft ISA Server Authentication Bypassing

Vulnerability
Microsoft ISA Server Authentication Bypassing

Description
This weakness is tested in a network environment where Microsoft ISA
server is configured as an Internet proxy server and the users are
required to provide appropriate user name and the password to access the
internet. 

In HTTP 1.1, the Keep-Alive connections connection remains active unless
the user closes the internet browser. In case of IE once the user closes
all the open IE windows, the Keep-Alive sessions closes. Hence, every
new IE opened will ask the user to enter UserID and Password to
authenticate to the proxy server (if the proxy requires authentication).


But there is a way to bypass this authorization. Since, IE caches the
user's authorization details without asking the user and it can be
reused by any malicious user even though all the IE window is closed to
bypass the proxy authentication.

I have tested this on MS Win2K as the client and MS ISA as the proxy
server. Find below the details.  


There are two ways the user can access Internet in an authorised proxyed
environment:

Case 1
The user can save the password by selecting the "save password" option
in the password dialog box and can use the same cached password to
access internet. Each time the user opens a new IE window he/she will be
prompted with the password dialog box where the cached password will
appear to be in asterisk ("*") form. The users just have to press enter
to visit the desired site.  

Case 2
In this case the user doesn't save the password and preferred to enter
the password each time he/she opens a new IE window. 

Now the bug is there in both the cases but I shall talk about case 2
scenario where actually the password is not saved. In case 2, the user
would be prompted with a password dialog box each time he/she opens a
new IE window to browse any site. But this can be bypassed by using an
existing session of a user with the ISA server. Most of the case the
user's browser session with the ISA doesn't terminate unless the IE
cache is cleaned properly. But here comes the bug where the attacker
actually can make use of the existing browser's WWW-Authorization
response of the previous user and can open multiple IE window and can
browse sites of his/her choice without even entering any user name and
password. 

What the malicious user has to do is to create a small html file with a
link of the desired site. For example the malicious user wants to visit
www.hackingspirits.com without authorization. Then the sample html file
would look something like:

===== POC 1 =====
<h t m l>
<title>Browse without authorization --- Sample script by
hackingspirits.com </title>
<b o d y>

<a target="_blank" href="http://www.hackingspirits.com">
Click here to visit hackingspirits.com</a>

</b o d y>
</h t m l>

=================

Now once the html file is created the malicious user has to open this
file in an IE window and "right click" on the link and "open it in a new
window". This would open the desired site in the new window without
asking any "user name" or "password" even if the password is not cached.


Once can also write a small Batch file to open a desired site without
proper authorisation. Find the batch file below: 

==== POC 2 =====

echo off
echo Browse Internet without authorisation --- by hackingspirits.com.
start /B "%ProgramFiles%\Internet Explorer\iexplore.exe"
http://www.hackingspirits.com
Exit

================

Note: But if the malicious tries to visit the same site by opening a new
IE window then he/she will be prompted with a password dialog box which
cannot be bypassed without authorization.



Debasis Mohanty
http://www.hackingspirits.com
 

Powered by blists - more mailing lists