Domain Name Forging On Authentication Prompt

From: Brett Moore (brett.moore_at_security-assessment.com)
Date: 05/09/03

  • Next message: aT4r InsaN3: "Re: Buffer overflow in Explorer.exe"
    To: <vuln-dev@securityfocus.com>, "Focus-MS" <focus-ms@securityfocus.com>, <webappsec@securityfocus.com>
    Date: Fri, 9 May 2003 14:43:31 +1200
    
    

    =================================================
    Domain Name Forging On Authentication Prompt
    -------------------------------------------------
    Tested under
            * Win2k Server, fully patched, with IE 6.0
            * Winxp, fully patched, with IE 6.0
    =================================================

    * Background *

    When browsing to a folder/file that is protected by BASIC or NTLM
    authentication a window is displayed to the user, prompting for
    user credentials.

    +------------------------------------------+
    | Please type your user name and password |
    | Site: [IP/Host] |
    | Realm: [Domain ] |
    | Username: [ ] |
    | Password: [ ] |
    | [OK] [CANCEL] |
    +------------------------------------------+

    * Details *

    It is possible to use the Msxml2.XMLHTTP object to create a login box and
    set the realm to an arbitrary value.

    Using the object to make a request to a URI that requires authentication
    and setting the HOST header to a domain of our choosing, the login prompt
    will be displayed using the HOST header value as the realm.

    Aulthough the SITE displayed will be the IP of the URI (xxx.xxx.x.xx),
    unwary
    users may trust the realm value and enter their login credentials.

    By running a sniffer on the machine hosting the protected folder, it is
    possible to sniff the BASIC authorization string, which in turn can be
    base64
    decoded to reveal the plaintext username:password pair.

    This could be made more effective by using XSS to have the script appear to
    be running from a valid domain.

    The sample script below should be enough to demonstrate.

    Note: To bypass IE domain restrictions the ip of the protected folder needs
    to be the same as the site hosting the script.

    [Code Sample]
    <*script language="vbscript">
    function sendinfo()
    Dim myhttp

    Set myhttp=CreateObject("Msxml2.XMLHTTP")
    myhttp.open "GET", "http://xxx.xxx.x.xx/_vti_bin/_vti_adm/admin.dll", false
    myhttp.setRequestHeader "Host", "secure.foo.bar"
    myhttp.send

    set myhttp = Nothing
    end function
    </*script>
    <*script>sendinfo()</*script>
    [End Code Sample]

    * Solution *

    This issue is probably by design and as such the problem is with the end
    user
    verifying the site that they are entering credentials for.

    Brett Moore
    Network Intrusion Specialist
    security-assessment.com
    +64-9-300-6494


  • Next message: aT4r InsaN3: "Re: Buffer overflow in Explorer.exe"

    Relevant Pages

    • Re: Getting windows logon when using forms authentication
      ... Maybe the authentication type is not Forms, ... doesn't have access rights to that file, thus the login prompt. ... same folder as the where the authentication occurs? ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Mutliple prompts for authentication
      ... do you have pics or docs on separate folder in the inetpub, i had the same problem because i had added a folder called images where i kept all the pics for my sites. ... i input my domain credentials and it seems to take a few seconds, and then it prompts a new box for authentication. ... this is a blank prompt... ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: How to deny access to domain shares from a workgroup computer
      ... If I take the example of Internet Explorer pass-through authentication: ... the authentication process is identical whether I am prompted and enter credentials, or whether my logged in credentials are passed-through ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
      (microsoft.public.windows.server.security)
    • Re: Cannot get AVG updates
      ... but I did) which led me to a different bit of AVG ... If you Download it File) *Manually* ... in whatever Folder was the last Folder ... Now *that* Warning Prompt is actually WinXP telling you ...
      (uk.people.silversurfers)
    • Re: How to deny access to domain shares from a workgroup computer
      ... It makes sense to me, now that you clearly state it, that there is no need to trust the machine where the authentication is coming from. ... If he truly knew nothing about the domain, it is somewhat unlikely for him to have a local account whose name matches that of a domain account, although this is possible. ... user name and password sufficient credentials, ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ...
      (microsoft.public.windows.server.security)