OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: HTTP NTLM Authorization
From: Loschiavo, Dave (DLoschiavoFRCC.CC.CA.US)
Date: Wed Sep 27 2000 - 07:44:04 CDT

Problem is, it will do this with the file:// comannd. IE's trust zones do
not apply to links such as this... Which is bad.

For a very good write up on this behavior, check out
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q1/0201.html and
also take a look at Russ' replay.

Before I knew Eric had published this report, I "found" the same behavior
myself and when I contacted MS I was told "...that's why smart people use
firewalls...".

This is a very good example of the default settings on a firewall not
protecting you. Many will default to allowing outbound NetBIOS connections,
and this is a bad thing. You need to block this kind of traffic in your
firewalls.

-----Original Message-----
From: Ryan Permeh
To: FOCUS-MSSECURITYFOCUS.COM
Sent: 9/22/00 1:26 PM
Subject: Re: HTTP NTLM Authorization

i beeleive that it will not do this when a site is in the "restricted"
zone
in the internet settings.

There has jsut been a lot of talk about this type of maliciousness on
lists
in regards to the NTLM passing for the telnet server.
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "????? ?????? ???????" <ryaginEXTRIM.RU>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Thursday, September 21, 2000 6:16 AM
Subject: HTTP NTLM Authorization

> Does MSIE still opens HTTP-NTLM sessions to any HTTP server who asked
for
with user's password hash?
>
> This is very important security issue, but I haven't found any
information
on fixing it in MS Security Bulletins.
>
> Malicious HTTP server can, for example, replay NTLM session back to
client
and take full access within, for example, C$, D$...shares.
> Or it can try to get administrative access to IIS via HTTP if NETBOIS
is
blocked.
>