Back Office Web Administrator Authentication Bypass (#NISR17042002A)

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Tue Apr 16 2002 - 07:08:47 PDT

Next message: Ofir Arkin: "Ammendum: A crash course with Linux Kernel 2.4.x, IP ID values & RFC 791"

Previous message: NGSSoftware Insight Security Research: "Webtrends Reporting Center Buffer Overflow (#NISR17042002C)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    Back Office Web Administration Authentication Bypass
Systems Affected:  Microsoft's Back Office Web Administrator 4.0, 4.5
Severity:  Medium/High
Vendor URL:   http://www.microsoft.com
Author:   David Litchfield (davidat_private)
Date:   17th April 2002
Advisory number: #NISR17042002A
Advisory URL:  http://www.ngssoftware.com/advisories/boa.txt

Issue: Attackers can bypass the logon page and access the Back Office Web
Administrator

Description
***********
With the Microsoft Back Office suite of products comes a web based
administration ASP based application that runs on IIS. Normally, to use the
administration pages a user must authenticate but NGSSoftware have
discovered that it is trivial to bypass this.

Details
*******
Each of the Back Office Web Administrator ASP pages checks to see if the
user has been authenticated but does this with the following snippet of code

 If Request.ServerVariables("auth_type") = "" Then
  Response.Status = "401 ACCESS DENIED"
  Response.End
 End If

This is the only "authorization/authentication" performed. As such it's
trivial to bypass:

 GET /BOADMIN/BACKOFFICE/SERVICES.ASP HTTP/1.1
 Host: hostname
 Authorization: Basic
 [enter]
 [enter]

No credentials are required as, technically the auth_type envariable has
been set, regardless of whether a user name or password have been supplied.

Risk and Mitigating Factors
***************************
By default the Back Office Web Administrator is limited to the loopback
address (127.0.0.1) which means that it can't be accessed remotely. However,
it is not uncommon to change this to allow for remote administration; tying
the Administrator to the loopback address makes it somewhat useless.

Basic authentication also needs to be enabled which, again, is not uncommon.

Fix Information
***************
For those that match this criteria they are strongly urged to obtain the the
patch from Microsoft. Please see
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838& for more
details.

A check for this issue has also been added to Typhon II, NGSSoftware's
vulnerabilty assessment scanner. For more information about Typhon, please
see the NGSSite @ http://www.ngssoftware.com/.

Next message: Ofir Arkin: "Ammendum: A crash course with Linux Kernel 2.4.x, IP ID values & RFC 791"
Previous message: NGSSoftware Insight Security Research: "Webtrends Reporting Center Buffer Overflow (#NISR17042002C)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 14:17:17 PDT