Re: XWT Foundation Advisory

From: Peter Watkins (peterw@usa.net)
Date: 07/30/02

Previous message: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
In reply to: Microsoft Security Response Center: "RE: XWT Foundation Advisory"
Next in thread: Adam Megacz: "Re: XWT Foundation Advisory"
Next in thread: Thor Larholm: "RE: XWT Foundation Advisory"
Reply: Adam Megacz: "Re: XWT Foundation Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Jul 2002 00:57:52 -0400
From: Peter Watkins <peterw@usa.net>
To: Microsoft Security Response Center <secure@microsoft.com>

On Mon, Jul 29, 2002 at 03:38:27PM -0700, Microsoft Security Response Center wrote:
>
> Hi All -
>
> We'd like to set the record straight as regards the advisory
> published today by the XWT Foundation.

> address the issue via a service pack. Accordingly, a fix has been
> included in IE 6 Service Pack 1, which is due to be released shortly.

What about IE 5.x?

> Among the barriers that an attacker would face in attempting to
> exploit the vulnerability are the following:

> * It would require that the attacker host a DNS server, a fact that
> would be traceable.

Not host a DNS server, but be able to publish DNS records. I know of at
least one DNS provider who hosts zone files for free, with the only
accountability being an email address (i.e., no acountability). Sure, the
attacker also needs to register a domain name, but how traceable is that,
really? Hijack an existing (unused?) domain & the attacker is set...

> * The attacker would need detailed information about the internals of
> the user's network, such as intranet server names.

The attacker needs no server names, only IP addresses, and the IANA
reserved address space reduces the number of likely targets. Is an IP
address in 192.168.0.0 "detailed" information? I wouldn't say so.

> * If the intranet site were an HTTPS: site, a dialog would warn the
> user that the name on the site's certificate did not match the domain
> name.

Aw, c'mon. How many companies use https for internal servers?

(Ironically, MSFT's integration of IPSEC in recent versions of Windows has
likely convinced some enterprises to use IPSEC as a global solution to the
longstanding problem of cleartext/unauthenticated network traffic. Such
enterprises are less likely to bother with SSL/TLS, and more likely to be
vulnerable to this browser-based attack. Go figure.)

> * If the intranet site used cookie-based authentication, the attack
> would fail because the attacker's site would be unable to
> authenticate on behalf of the user

Another red herring. How many unlikely "safe" scenarios do you want to
discuss? The reality is that typical "intranet" setups don't use https and
do make available a good bit of information without *any* authentication.
In many (most?) cases it's believed that the intranet can only be accessed
from behind the firewall, so authentication is not needed. This attack
scenario shreds that assumption.

> * The attack would not work against web servers configured to support
> multiple host headers, with the exception of any content served up at
> the "default" site.

Again, an unlikely "safe" scenario. Internal servers are *far* less likely
to be configured for multiple host-by-name servers than external/public
servers. Also I note that Michael Howard's checklist for securing IIS 5.0
(Microsoft's http server offering) makes no mention of tweaking the
virtual host configuration for security reasons as you (now) suggest.

-Peter

-- Peter Watkins - peterw@tux.org - peterw@usa.net - http://www.tux.org/~peterw/ Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692

application/pgp-signature attachment: stored

Previous message: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
In reply to: Microsoft Security Response Center: "RE: XWT Foundation Advisory"
Next in thread: Adam Megacz: "Re: XWT Foundation Advisory"
Next in thread: Thor Larholm: "RE: XWT Foundation Advisory"
Reply: Adam Megacz: "Re: XWT Foundation Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Is this as bad as it seems?
... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
(Security-Basics)
gdm hangs
... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
(Debian-User)
problem with sendmail in solaris 9
... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
(SunManagers)
[NEWS] Firewall Circumvention Possible with All Browsers
... The exploit allows an attacker to use any JavaScript-enabled web browser ... any HTTP server behind the firewall. ... outlined in the section "Quick-Swap DNS". ... If the client in use is Microsoft Internet Explorer, ...
(Securiteam)
[NT] Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
... SMB (Server Message Block) is the protocol Microsoft uses to share files, ... The attacker could use both a user account and anonymous access to ... What's the scope of the vulnerability? ...
(Securiteam)