mailing list archives
RE: Microsoft ISA Server Authentication Bypassing
From: "David Farinic" <davidf () gfi com>
Date: Wed, 3 Nov 2004 11:07:14 +0100
Vulnerability-Microsoft ISA Server Authentication Bypassing
-NOT TRUE. IT IS NOT ISA problem.
You worked always with one instance of IExplore.exe which used same
pre-authenticated http channels for all calls from different windows or
processes. It might be seen as a problem only if IE COM IPC calls from
DIFFERENT processes (with dif. Sec. credentials) to IE COM objects use
same pre-authenticated http tcp/ip channels with proxy server.
P.S.: Next time pls mention also ISA,OS,IE versions.
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Debasis
Sent: Tuesday, November 02, 2004 6:48 PM
To: mail () hackingspirits com
Subject: [Full-disclosure] Microsoft ISA Server Authentication Bypassing
Microsoft ISA Server Authentication Bypassing
This weakness is tested in a network environment where Microsoft ISA
server is configured as an Internet proxy server and the users are
required to provide appropriate user name and the password to access the
In HTTP 1.1, the Keep-Alive connections connection remains active unless
the user closes the internet browser. In case of IE once the user closes
all the open IE windows, the Keep-Alive sessions closes. Hence, every
new IE opened will ask the user to enter UserID and Password to
authenticate to the proxy server (if the proxy requires authentication).
But there is a way to bypass this authorization. Since, IE caches the
user's authorization details without asking the user and it can be
reused by any malicious user even though all the IE window is closed to
bypass the proxy authentication.
I have tested this on MS Win2K as the client and MS ISA as the proxy
server. Find below the details.
There are two ways the user can access Internet in an authorised proxyed
The user can save the password by selecting the "save password" option
in the password dialog box and can use the same cached password to
access internet. Each time the user opens a new IE window he/she will be
prompted with the password dialog box where the cached password will
appear to be in asterisk ("*") form. The users just have to press enter
to visit the desired site.
In this case the user doesn't save the password and preferred to enter
the password each time he/she opens a new IE window.
Now the bug is there in both the cases but I shall talk about case 2
scenario where actually the password is not saved. In case 2, the user
would be prompted with a password dialog box each time he/she opens a
new IE window to browse any site. But this can be bypassed by using an
existing session of a user with the ISA server. Most of the case the
user's browser session with the ISA doesn't terminate unless the IE
cache is cleaned properly. But here comes the bug where the attacker
actually can make use of the existing browser's WWW-Authorization
response of the previous user and can open multiple IE window and can
browse sites of his/her choice without even entering any user name and
What the malicious user has to do is to create a small html file with a
link of the desired site. For example the malicious user wants to visit
www.hackingspirits.com without authorization. Then the sample html file
would look something like:
===== POC 1 =====
<h t m l>
<title>Browse without authorization --- Sample script by
<b o d y>
<a target="_blank" href="http://www.hackingspirits.com">
Click here to visit hackingspirits.com</a>
</b o d y>
</h t m l>
Now once the html file is created the malicious user has to open this
file in an IE window and "right click" on the link and "open it in a new
window". This would open the desired site in the new window without
asking any "user name" or "password" even if the password is not cached.
Once can also write a small Batch file to open a desired site without
proper authorisation. Find the batch file below:
==== POC 2 =====
echo Browse Internet without authorisation --- by hackingspirits.com.
start /B "%ProgramFiles%\Internet Explorer\iexplore.exe"
Note: But if the malicious tries to visit the same site by opening a new
IE window then he/she will be prompted with a password dialog box which
cannot be bypassed without authorization.
Full-Disclosure - We believe in it.
This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.
In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.
Full-Disclosure - We believe in it.