SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 11/22/01


Message-ID:  <140294930878.20011122212622@SECURITY.NNOV.RU>
Date:         Thu, 22 Nov 2001 21:26:22 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Subject:      SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello bugtraq,

Information below is not actually bug description but a warning on
design flow in Microsoft Outlook Express "secure" authentication.

Original source for this advisory:
http://www.security.nnov.ru/advisories/oespa.asp

Topic: Outlook Express and SPA (Secure Password
                          Authentication)
Author: 3APA3A <3APA3A@security.nnov.ru>
Affected Software: Internet Explorer 5.5, 6.0
Vendor: Microsoft
Status: Informational

1. Background:

Outlook Express doesn't support CRAM-MD5 or APOP and there is only one
way to authenticate user on POP3/IMAP/SMTP server without sending
cleartext password on the wire. It's SPA (Secure Password
Authentication). It usually works with Exchange, but also supported by
few 3rd party mail servers.

There are 2 issues about this kind of authentication to treat it as even
more dangerous then clear text outside organization's site.

2. Problems description:

(1)
Secure Password authentication is in fact NTLM v.1.

NTLM v.1 is known to be vulnerable to M-i-t-M attacks. If
Man-In-The-Middle can impersonate mail server he can connect to mail
server (or another resource, which supports NTLMv1 authentication - such
as SMB server or Web server).

+--------------+
| Impersonated |
| Mail | +------------+ challenge +--------+
| Server | | Man In | ---------> | Client |
+--------------+ | The Middle | <-------- +--------+
                         +------------+ response
+--------------+ response| ^
| Corporate | <--------+ |
| file server | ------------+
+--------------+ challenge

Client will think it's authenticated by Mail Server while in fact it
gives attacker access to corporate file server. It's common NTLM v1
problem. It was eliminated in NTLM v2 by introducing mutual
authentication, but NTLMv2 probably is not implemented yet in
Exchange/Outlook Express.

(2)

Then SPA selected for (lets say POP3) account in Outlook Express,
Outlook Express doesn't use username/password provided in account
information. First, it tries to connect to POP3 server with user's
system (for example Windows NT domain) logon credentials. Only if it
fails Outlook Express asks user for username/password and stores this
password in users's password list (like Windows does for NetBIOS
shares). It will use single username/password for all Outlook Express
accounts on the same server. Even if you delete account and create new
one you will connect to server with old username and password (if server
doesn't report error).

If user uses outside POP3 server, malicious POP3 server operator can use
this behavior to connect to corporate resources with user's domain
credentials.

 +-------------+ challenge +--------+
 | Malicious | ---------> | Client |
 | POP3 Server | <-------- +--------+
 +-------------+ response
          ^ |
          | | response
          | +--------------> +-----------+
          | challenge | Corporate |
          +----------------- | Server |
                             +-----------+

Internet Explorer security settings doesn't change behavior of Outlook
Express for this issue. By using little tricks with "AUTH NTLM" protocol
server can cause few challenge/response exchanges during one
authentication attempt without prompting user. It will give malicious
server operator ability to request few password-protected resources (for
example from corporate web server) during one client authentication.

3. Conclusion

Never use SPA to connect hosts if these hosts are not Exchange server in
your domain.

4. Another products

MS Outlook may also be vulnerable but was never tested. IMAP4 and SMTP
authentication was not checked, but believed to be vulnerable.

5. Vendor

Microsoft was contacted on October, 5 via secure@microsoft.com and gave
no feedback on this issue after October, 17.

--
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a ntivirus.com/smex2000_rebate



Relevant Pages

  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...
    (microsoft.public.exchange.admin)
  • Re: Single user issue; best troubleshooting
    ... COULD be cause by that intermediate 'network access' server ... you do know there is significant logging in Outlook ... form of Integrated Authentication and so all of the OUTLOOK ...
    (microsoft.public.windows.server.active_directory)
  • Re: Single user issue; best troubleshooting
    ... The user in this case is logging in to Outlook 2003 ... You still haven't indicated which EMAIL SERVER is used. ... Most email servers other than Exchange will not be using any ... Remote Desktops don't typically use INTEGRATED authentication ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook could not logon to the outgoing mail server - Exchange server
    ... In the Exchange System Manager go to the SMTP Protocol --> Default ... Based on my experience,I think The root cause is your smtp server have been ... configured to require authentication,but your outlook 2003 and outlook ... express authentication are not being configured on the client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Single user issue; best troubleshooting
    ... The user in this case is logging in to Outlook 2003 ... You still haven't indicated which EMAIL SERVER is used. ... Most email servers other than Exchange will not be using any ... Remote Desktops don't typically use INTEGRATED authentication ...
    (microsoft.public.windows.server.active_directory)