SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)

Date: 11/22/01

Message-ID:  <140294930878.20011122212622@SECURITY.NNOV.RU>
Date:         Thu, 22 Nov 2001 21:26:22 +0300
Subject:      SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)

Hello bugtraq,

Information below is not actually bug description but a warning on
design flow in Microsoft Outlook Express "secure" authentication.

Original source for this advisory:

Topic: Outlook Express and SPA (Secure Password
Author: 3APA3A <>
Affected Software: Internet Explorer 5.5, 6.0
Vendor: Microsoft
Status: Informational

1. Background:

Outlook Express doesn't support CRAM-MD5 or APOP and there is only one
way to authenticate user on POP3/IMAP/SMTP server without sending
cleartext password on the wire. It's SPA (Secure Password
Authentication). It usually works with Exchange, but also supported by
few 3rd party mail servers.

There are 2 issues about this kind of authentication to treat it as even
more dangerous then clear text outside organization's site.

2. Problems description:

Secure Password authentication is in fact NTLM v.1.

NTLM v.1 is known to be vulnerable to M-i-t-M attacks. If
Man-In-The-Middle can impersonate mail server he can connect to mail
server (or another resource, which supports NTLMv1 authentication - such
as SMB server or Web server).

| Impersonated |
| Mail | +------------+ challenge +--------+
| Server | | Man In | ---------> | Client |
+--------------+ | The Middle | <-------- +--------+
                         +------------+ response
+--------------+ response| ^
| Corporate | <--------+ |
| file server | ------------+
+--------------+ challenge

Client will think it's authenticated by Mail Server while in fact it
gives attacker access to corporate file server. It's common NTLM v1
problem. It was eliminated in NTLM v2 by introducing mutual
authentication, but NTLMv2 probably is not implemented yet in
Exchange/Outlook Express.


Then SPA selected for (lets say POP3) account in Outlook Express,
Outlook Express doesn't use username/password provided in account
information. First, it tries to connect to POP3 server with user's
system (for example Windows NT domain) logon credentials. Only if it
fails Outlook Express asks user for username/password and stores this
password in users's password list (like Windows does for NetBIOS
shares). It will use single username/password for all Outlook Express
accounts on the same server. Even if you delete account and create new
one you will connect to server with old username and password (if server
doesn't report error).

If user uses outside POP3 server, malicious POP3 server operator can use
this behavior to connect to corporate resources with user's domain

 +-------------+ challenge +--------+
 | Malicious | ---------> | Client |
 | POP3 Server | <-------- +--------+
 +-------------+ response
          ^ |
          | | response
          | +--------------> +-----------+
          | challenge | Corporate |
          +----------------- | Server |

Internet Explorer security settings doesn't change behavior of Outlook
Express for this issue. By using little tricks with "AUTH NTLM" protocol
server can cause few challenge/response exchanges during one
authentication attempt without prompting user. It will give malicious
server operator ability to request few password-protected resources (for
example from corporate web server) during one client authentication.

3. Conclusion

Never use SPA to connect hosts if these hosts are not Exchange server in
your domain.

4. Another products

MS Outlook may also be vulnerable but was never tested. IMAP4 and SMTP
authentication was not checked, but believed to be vulnerable.

5. Vendor

Microsoft was contacted on October, 5 via and gave
no feedback on this issue after October, 17.

        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: