Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4433
HistoryOct 20, 2001 - 12:00 a.m.

Outlook Express and SPA (Secure Password Authentication)

2001-10-2000:00:00
vulners.com
83

Topic: Outlook Express and SPA (Secure Password
Authentication)
Author: 3APA3A <[email protected]>
Affected Software: Internet Explorer 5.5, 6.0
Vendor: Microsoft
Status: Informational

  1. Background:

Outlook Express doesn't support CRAM-MD5 or APOP and there is only one
way to authenticate user on POP3/IMAP/SMTP server without sending
cleartext password on the wire. It's SPA (Secure Password
Authentication). It usually works with Exchange, but also supported by
few 3rd party mail servers.

There are 2 issues about this kind of authentication to treat it as even
more dangerous then clear text outside organization's site.

  1. Problems description:

(1)
Secure Password authentication is in fact NTLM v.1.

NTLM v.1 is known to be vulnerable to M-i-t-M attacks. If
Man-In-The-Middle can impersonate mail server he can connect to mail
server (or another resource, which supports NTLMv1 authentication - such
as SMB server or Web server).

±-------------+
| Impersonated |
| Mail | ±-----------+ challenge ±-------+
| Server | | Man In | ---------> | Client |
±-------------+ | The Middle | <-------- ±-------+
±-----------+ response
±-------------+ response| ^
| Corporate | <--------+ |
| file server | ------------+
±-------------+ challenge

Client will think it's authenticated by Mail Server while in fact it
gives attacker access to corporate file server. It's common NTLM v1
problem which was eliminated in NTLM v2 by introducing mutual
authentication.

(2)
Then SPA selected for (lets say POP3) account in Outlook Express,
Outlook Express doesn't use username/password provided in account
information. First, it tries to connect to POP3 server with user's
system (for example Windows NT domain) logon credentials. Only if it
fails Outlook Express asks user for username/password and stores this
password in users's password list (as Windows does for NetBIOS shares).
It will use single username/password for all Outlook Express accounts on
the same server. Even if you delete account and create new one you will
connect to server with old username and password (if server doesn't
report error).

If user uses outside POP3 server, malicious POP3 server operator can use
this behavior to connect to corporate resources with user's domain
credentials.

±------------+ challenge ±-------+
| Malicious | ---------> | Client |
| POP3 Server | <-------- ±-------+
±------------+ response
^ |
| | response
| ±-------------> ±----------+
| challenge | Corporate |
±---------------- | Server |
±----------+

Internet Explorer security settings doesn't change behavior of Outlook
Express for this issue. By using little tricks with "AUTH NTLM" protocol
server can cause few challenge/response exchanges during one
authentication attempt without prompting user. It will give malicious
server operator ability to request few password-protected resources (for
example from corporate web server) during one client authentication.

  1. Conclusion

Never use SPA to connect hosts if these hosts are not Exchange server in
your domain.

  1. Another products

MS Outlook may also be vulnerable but was never tested. IMAP4 and SMTP
authentication was not checked, but believed to be vulnerable.

  1. Vendor

Microsoft was contacted on October, 5 via [email protected] and gave
no feedback on this issue after October, 17.