FW: BRUTE FORCE FLAW in .NET Passport "Change Password" utility
From: Lawrence Garvin (LGARVIN) (lgarvin_at_EFOREST.NET)
Date: 06/29/03
- Previous message: Geoff Vass: "CA eTrust Antivirus 7.0 - System account lockout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 28 Jun 2003 19:05:34 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Well, I shared this with Microsoft. From the verbage in their reply,
which took them a whole week to work up... they're of the opinion that this
is no big deal.
Maybe it's not a big deal... but it certainly violates every fundamental
principal of how to write a "login" interface that I've read in the past
twenty years.
To summarize. In the .NET Passport "Change Password" utility -- if one
chooses this utility, first they are prompted to enter their State and Zip
Code, having already been supplied with the account name and country. I'm
not sure what functional verification this supports. In my thoughts, it has
minimal security value, since an account holder's "State" and "Zip Code" are
hardly "secret" material.
Then, the next screen, has three fields. The answer to the secret
question, and two fields to enter and verify the NEW password.
The user is prompted with their chosen "secret question". In fact, any
person who correctly guesses the home state and zip code of any .NET
Passport user, will now be presented with this screen. Microsoft, however,
doesn't suggest at any time in the .NET Passport registration that this
"secret question" should be manufactured based on REAL SECRET information.
When I registered, I created the question "What is my father's middle
name?". Certainly not readily available information to the average person,
but also not information that is totally unavailable to somebody that spent
a few minutes looking. Microsoft doesn't mention that virtually anybody can
be presented with that question; that the question/answer combination should
be something that only I know; or that this question/answer combination is
the only piece of information that permits or denies a person's ability to
change a password. In fact, Microsoft didn't even respond to my notes about
that issue.
But here's the critical issue. Having been presented with this secret
question, and assuming that the answer to the question is not readily
available to somebody wishing to compromise an account -- it's quite
possible for an individual, through brute force methods, to guess the
correct answer. The problem here is that Microsoft apparently equates "brute
force" to "automated high-speed methods". Microsoft points out that a user's
account is "locked" when such attempts happen. I also personally noted that
such locks expire in only a few minutes.
Furthermore, if one correctly guesses the answer to the secret question,
Microsoft actually tells the user they've guessed the correct answer? How is
this done? Put the proposed answer to the secret question in all three
fields. If the answer is wrong, Microsoft kindly tells the user that the
answer is incorrect. If the answer is correct, however, Microsoft replies
that one cannot have a password equal to the answer to the secret question.
The fundamental flaw here is that the programmers assumed that nobody
would want to use the answer to the secret questoin as their password,
therefore attempting to do so, must be an error. Unfortunately, providing
the information that the password cannot be the same as the answer to the
secret question ONLY when the answer to the secret is correct is a serious
flaw. The correct response is to provide that answer ALWAYS when the values
are identical, and that test should occur before the answer is evaluated
against the question. Apparently, Microsoft disagrees.
Having successfully guessed the correct answer to the secret question
(assuming one couldn't simply "look up" the correct answer because the user
chose a poor question to start with), one can now change the password at
will.
As is noted from the official Microsoft response, they don't seem to
think this is a problem, and apparently plan to take no action to change
anything in the design or implementation of this utility.
Am I wrong..... or does the Passport community have a serious challenge?
Lawrence Garvin
Houston, Texas
-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@microsoft.com]
Sent: Friday, June 27, 2003 8:05 PM
To: lgarvin@eforest.net
Cc: Microsoft Security Response Center
Subject: RE: BRUTE FORCE FLAW in .NET Passport "Change Password" utility
!!!!! IMMEDIATE RESPONSE IMPERATIVE!!!! [pz]
Dear Mr. Garvin;
Your feedback is well-taken and very much appreciated. However, if my
understanding of your concerns is correct, they do not appear to be
vulnerabilities in the Passport password reset system.
I have isolated some quotes from your mail that appear to be your main
concerns and copied them below, along with some information from our side
that will hopefully help alleviate them.
"So here's the fundamental FLAW in this screen. If one enters the SAME WORD
for the Secret Question and the NEW PASSWORD fields, and the ANSWER to the
Secret Question is incorrect, one gets a notice that the answer was
incorrect."
No unauthorized account information can be viewed or changed until the
answer to the secret question has been verified. Therefore, any entry in the
"New Password" field is not considered until the correct answer to the
secret question is entered. The informative error message is used to help
our customers understand why they were not granted access to their account
-- regardless of their level of technical knowledge or experience.
"If one actually gets the CORRECT ANSWER to the "Secret Question", the .NET
Passport "Change My Password" utility actually tells the user that they
GUESSED the correct ANSWER to the "Secret Question"!!! Specifically it
responds in big red type: Your password cannot be a part of your secret
answer. The message itself really isn't the problem, except that this answer
only appears when the answer to the "secret question" is CORRECT!"
The secret question & answer system is a means of identifying a user as the
owner of a specific account (like a password). This system allows our
customers to employ a very high level of security on their account by using
a secret question that is very difficult for anyone else but them to answer
correctly. As with a password, however, the answer to the secret question
must be guarded. In order for someone to receive the "new password" error
message you mentioned above, they would have to already know the correct
answer to the secret question.
Lastly, you mentioned a concern about the potential effects of a "brute
force" attack on this tool. We have employed several countermeasures to help
combat such attacks. For instance, one method we use is to temporarily
suspend a Passport account after a certain number of sign-in attempts to
that account have failed. This, and other security measures are already in
use, and are reviewed and updated on a regular basis.
Please be assured that protecting our customers is our top priority. We
appreciate you taking the time to bring your concerns to our attention.
If you have further concerns or comments, please feel free to send them to
us at SECURE@MICROSOFT.COM.
Many thanks once again;
Paul
-----Original Message-----
From: Microsoft Security Response Center
Sent: Tuesday, June 24, 2003 10:09 PM
To: 'lgarvin@eforest.net'
Cc: Microsoft Security Response Center
Subject: RE: BRUTE FORCE FLAW in .NET Passport "Change Password" utility
!!!!! IMMEDIATE RESPONSE IMPERATIVE!!!! [pz]
Dear Mr. Garvin;
Thank you for contacting the Microsoft Security Response Center regarding
your security concerns. We will investigate these concerns, and update you
with our findings shortly.
Please feel free to reply to this mail with questions or further input about
this matter.
Thank you again -
Paul
secure@microsoft.com <mailto:secure@microsoft.com>
-----Original Message-----
From: Lawrence Garvin (LGARVIN) [mailto:lgarvin@eforest.net]
Sent: Friday, June 20, 2003 8:04 PM
To: Passport Privacy Questions; Security - Corporate Security Services
Subject: ITG: BRUTE FORCE FLAW in .NET Passport "Change Password" utility
!!!!! IMMEDIATE RESPONSE IMPERATIVE!!!!
Ahh.. A REAL email address.... Much better than those stupid
web-based forms which seem to have limits on the number of characters in the
message, which makes it impossible to relay the whole story.
Since this seems to be the ONLY email address published on the NET
Passport web site, would you kindly forward this message to the people who
handle SECURITY for .NET Passport Services. I'm sincerely hoping they'll be
interested in this issue. Just as a shot in the dark, I've also copied this
message to 'security@microsoft.com' -- maybe the obvious email address will
get this where it needs to go also.
The .NET Passport "Change my password" utility has a Brute Force
FLAW in it's implementation, and should be reprogrammed immediately. In
fact, it probably ought to be redesigned, since the DESIGN of the "Change my
password" process is about as lame as any security process for
self-modification of a password that I've seen in over twenty years in the
industry.
After supplying the State and Zip Code for a given Passport account
(in this case mine, but certainly not secret information to anybody who
wishes to compromise a Passport account), the next screen appears, inviting
the user to answer their "secret question" (the question being automatically
provided), and enter their new password.
In effect, the ONLY thing in this entire process that "protects"
somebody from changing the password of a Passport account, is knowing the
ANSWER to the "secret question". Unfortunately, the sign-up web pages do a
very POOR job of describing to the user that Microsoft really means this to
be a SECRET question.. One that only the respondent would ever know the
answer to. In my case, I chose the question "What is my father's middle
name?" In reality, there are probably only six people in the entire world
that know my (deceased) father's middle name from memory. Nevertheless, it
is a matter of public record for somebody who really wanted to find it.
Complicate that with the fact that this is on the account
"lawrencegarvin@msn.com" -- how many Lawrence Garvin's do you imagine there
are in the United States?
So here's the fundamental FLAW in this screen. If one enters the
SAME WORD for the Secret Question and the NEW PASSWORD fields, and the
ANSWER to the Secret Question is incorrect, one gets a notice that the
answer was incorrect. Now, for as long as people have been writing security
handbooks about usernames and passwords, it's been generally accepted best
practice not to tell the user what part of their answer was incorrect --
but, here we see, .NET Passport does exactly that!
But that's not even the part I'm writing about. If one actually gets
the CORRECT ANSWER to the "Secret Question", the .NET Passport "Change My
Password" utility actually tells the user that they GUESSED the correct
ANSWER to the "Secret Question"!!!
Specifically it responds in big red type: Your password cannot be a
part of your secret answer. The message itself really isn't the problem,
except that this answer only appears when the answer to the "secret
question" is CORRECT!
Now.. How much of an effort, via brute force techniques, do you
imagine it would take for many of the .NET Passport clients to identify the
correct answer to the PUBLISHED "Secret Question"??? All one has to do is
identify the correct ANSWER to the Secret Question, change the password, and
PRESTO! -- the account is permanently compromised.
Recommendation for changes:
1. Assuming the utility is not redesigned (which it should be), at
a minimum, ANYTIME a user enters an answer to the "secret question" that is
identical to the value entered in the password field, the preceding error
message should be displayed, including if the answer to the "secret
question" is INCORRECT!
2. Redesign the utility.
a. Ask the user for the answer to the "secret question" --
but provide no additional blanks to fill in.
b. Additional enhancement -- require the user to SELECT the
correct "secret question" from a list of four or five possible choices
BEFORE providing the answer.
c. AFTER identifying the correct answer to the "secret
question", display a SECOND SCREEN to enter the new password.
Please respond to this message upon initial receipt, upon advisory
that it has been forwarded to the appropriate people, as well as advice that
the security flaw will be fixed.
In the event that I do not receive a response from Microsoft by the
30th of June, it is my intend, in conformance with the philosopy of "full
disclosure", to post this "brute force" flaw to the appropriate mailing
lists at SecurityFocus.
_________________________________________
Lawrence Garvin
Principal/CEO
Onsite West Houston
<http://onsite.eforest.net> http://onsite.eforest.net
ICQ#: 38440195
_________________________________________
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Geoff Vass: "CA eTrust Antivirus 7.0 - System account lockout"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
