Domain Name Forging On Authentication Prompt

From: Brett Moore (brett.moore@security-assessment.com)
Date: Thu May 08 2003 - 19:43:31 PDT

Next message: b0f www.b0f.net: "Port binding shellcode for WindowsXP"

Previous message: Qazi Ahmed: "Multiple Vulnerabilities found in Microsoft .Net Passport Services"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

=================================================
Domain Name Forging On Authentication Prompt
-------------------------------------------------
Tested under
	* Win2k Server, fully patched, with IE 6.0
	* Winxp, fully patched, with IE 6.0
=================================================

* Background *

When browsing to a folder/file that is protected by BASIC or NTLM
authentication a window is displayed to the user, prompting for
user credentials.

+------------------------------------------+
|  Please type your user name and password |
|  Site:        [IP/Host]                  |
|  Realm:       [Domain ]                  |
|  Username:    [       ]                  |
|  Password:    [       ]                  |
|                           [OK] [CANCEL]  |
+------------------------------------------+

* Details *

It is possible to use the Msxml2.XMLHTTP object to create a login box and
set the realm to an arbitrary value.

Using the object to make a request to a URI that requires authentication
and setting the HOST header to a domain of our choosing, the login prompt
will be displayed using the HOST header value as the realm.

Aulthough the SITE displayed will be the IP of the URI (xxx.xxx.x.xx),
unwary
users may trust the realm value and enter their login credentials.

By running a sniffer on the machine hosting the protected folder, it is
possible to sniff the BASIC authorization string, which in turn can be
base64
decoded to reveal the plaintext username:password pair.

This could be made more effective by using XSS to have the script appear to
be running from a valid domain.

The sample script below should be enough to demonstrate.

Note: To bypass IE domain restrictions the ip of the protected folder needs
to be the same as the site hosting the script.

[Code Sample]
<*script language="vbscript">
function sendinfo()
Dim myhttp

Set myhttp=CreateObject("Msxml2.XMLHTTP")
myhttp.open "GET", "http://xxx.xxx.x.xx/_vti_bin/_vti_adm/admin.dll", false
myhttp.setRequestHeader "Host", "secure.foo.bar"
myhttp.send

set myhttp = Nothing
end function
</*script>
<*script>sendinfo()</*script>
[End Code Sample]

* Solution *

This issue is probably by design and as such the problem is with the end
user
verifying the site that they are entering credentials for.

Brett Moore
Network Intrusion Specialist
security-assessment.com
+64-9-300-6494

Next message: b0f www.b0f.net: "Port binding shellcode for WindowsXP"
Previous message: Qazi Ahmed: "Multiple Vulnerabilities found in Microsoft .Net Passport Services"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 09 2003 - 09:27:12 PDT