IIS 5.0 Digest authentication does not process username strings properly

• Previous message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-010"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 8 May 2003 03:57:31 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

IIS 5.0 Digest authentication does not process username strings properly

Severity: Minimal?

We have discovered a flaw in the way Digest Authentication processes the
username portion of authentication requests. Sending a
"DOMAIN\username" in stead of just a username for a resource protected
with Digest Authentication results in IIS passing the request on to the
OS as DOMAIN\\username (this is the value recorded in the IIS log files
- Windows event logs records a failed logon attempt with domain of
"DOMAIN" and username of "\username").

The result is that IIS allows arbitrary users to send malformed account
names to the operating system. We do not know the exact impact of this,
but have noticed odd behavior when sending a null username (DOMAIN\) or
special characters (more backslashes or other characters) in the browser
request. With a '\' as a username, Windows 2000 responds as if the
account exists, but that the password supplied is invalid.

The bug appears to be that the Digest Auth filter does not handle the
string that the browser sends to it properly (network traces reveal the
browser sends "DOMAIN\\USERNAME" - probably a C-style string with a
double-backslash to indicate it's not an escape sequence).

Contacting PSS has yielded varying responses from "it should work"
initially to strong denials that this (faulty) behavior is a bug at all.

Initially we were trying to get Digest Authentication working with
accounts in trusted domains, but now we are worried that this bug may
allow for potential security vulnerabilities.

Does anyone have any input on this matter?

Regards
Jan Hanekom
Open Developers

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by IP3 Inc.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
TICSA certified.

Do not miss your opportunity to discover solutions to what our participants
have identified as their top 5 IT Security Challenges. You will return to
work better prepared to put into place an effective security strategy
utilizing the latest security tools, bookmarks and URL's.

<http://www.ip3seminars.com>

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-010"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]