MS IE User's Authentication Details (userid/password) Sharing Issue

From: Debasis Mohanty (mail_at_hackingspirits.com)
Date: 12/12/04

  • Next message: J. Oquendo: "Enemy of the State (breaking Stateful Inspection based fw's)"
    To: <vuln-dev@securityfocus.com>
    Date: Mon, 13 Dec 2004 03:16:48 +0530
    
    

    I would like to highlight an issue with IE which I have verified with
    Microsoft before posting it here. This issue of IE has got very limited
    security implications. I have also included the reply from Microsoft in this
    post for reference.

    The details of this IE issue can be found below:

    Microsoft Internet Explorer User's Authentication Details Sharing
    -----------------------------------------------------------------
    Details:
    When IE is configured to access internet using proxy, the user's
    authentication details are cached locally without IE prompting the user.
    Even though the "save my password" option is not checked, the user's proxy
    authentication details are cached locally without the user's knowledge.

    Since, user's details are restricted to each instances of IE and for each
    new instances of IE opened by the user will prompt the user for entering
    username / password to authenticate to the proxy. But if any html file is
    opened locally in IE and then links are used to right-click and open a new
    IE window then it doesn't ask for authentication. It is happening because
    the saved user's details are being shared by the previously active browser
    eventhough the user has not saved the userid/password.

    There are two cases when every new instances of IE share the user's
    authentication details with the previously active IE instance. They are:

    a. If a simple html file (with any hyperlinks in it) is opened locally in IE
    then the hyperlinks are used to surf the desired site then IE doesn't prompt
    for any user authentication details as it shares the user's credentials from
    the previously opened active IE instance.

    b. If the user uses right click and open new IE window for any links from an
    active IE instance then the new IE window shares the user's credentials from
    the previously opened active IE instance.

    Note:
    # This doesn't happen when a complete new instance of IE is opened to surf
    any link.
    # This works even the user doesn't check the "save password" option to save
    the password details.

    I have tested this on the following environment:
    Win2K (with SP4) + IE 6.0 and
    WinXP (SP1 + hotfixes - SP2) + IE 6.0

    Workaround (Provided by Microsoft):
    ***********************************
    What could help resolve this is to perhaps explain the to a user via a Help
    link on the credentials dialog that contains more details on just what "save
    my password" means.

    Patch Details (Provided by Microsoft):
    **************************************
    We've opened a bug against the product to track this change and this
    behavior, and this may be included in a future service pack for the
    operating system.

    ===================================================
    Reply From Microsoft
    ===================================================
    From: Microsoft Security Response Center [mailto:secure@microsoft.com]
    Sent: Thursday, December 09, 2004 7:05 AM
    To: Debasis Mohanty
    Cc: Microsoft Security Response Center
    Subject: RE: MS IE User's Authentication Details (userid/password) Sharing
    vulnerability [5694mr]

    Hello Debasis:

    We've investigated this and had the teams look at the possible security
    related attacks here. From our understanding of the report, the security
    implications here seem somewhat limited. Without "save my password"
    credentials are persisted within the IE process. With "save my password"
    credentials are persisted across IE sessions and IE instances. There may be
    some perceived inconsistency, because in the UI, IE instances are not easily
    distinguishable from the multiple sessions of a single IE instance.

    What could help resolve this is to perhaps explain the to a user via a Help
    link on the credentials dialog that contains more details on just what "save
    my password" means.

    We've opened a bug against the product to track this change and this
    behavior, and this may be included in a future service pack for the
    operating system.

    I appreciate you reporting this to us.

    Regards,
    --Mike
    ===================================================

    Note: This issue of IE has got very limited security implications.

     
    Thanks & Regards,
    Debasis Mohanty
    www.hackingspirits.com


  • Next message: J. Oquendo: "Enemy of the State (breaking Stateful Inspection based fw's)"

    Relevant Pages

    • MS IE Users Authentication Details (userid/password) Sharing Issue
      ... Microsoft before posting it here. ... Microsoft Internet Explorer User's Authentication Details Sharing ... for any user authentication details as it shares the user's credentials from ... What could help resolve this is to perhaps explain the to a user via a Help ...
      (Bugtraq)
    • MS IE Users Authentication Details (userid/password) Sharing Issue
      ... Microsoft before posting it here. ... Microsoft Internet Explorer User's Authentication Details Sharing ... for any user authentication details as it shares the user's credentials from ... What could help resolve this is to perhaps explain the to a user via a Help ...
      (Pen-Test)
    • [Full-Disclosure] MS IE Users Authentication Details (userid/password) Sharing Issue
      ... Microsoft before posting it here. ... Microsoft Internet Explorer User's Authentication Details Sharing ... for any user authentication details as it shares the user's credentials from ... What could help resolve this is to perhaps explain the to a user via a Help ...
      (Full-Disclosure)
    • Re: Exchange Password
      ... Do not allow storage of credentials or .NET Passports for ... Microsoft CSS Online Newsgroup Support ... |> Technically speaking, whenever you open the mailbox on Exchange server, ... if the local account uses the same ...
      (microsoft.public.windows.server.sbs)
    • Re: Password Expiration
      ... > credential issue, it did not occur on the SBS server, it will also occur ... > Do not allow storage of credentials or .NET Passports for network ... > 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... > package in Microsoft Windows Server 2003. ...
      (microsoft.public.windows.server.sbs)