Computer Security
[EN] no-pyccku

Related information

  Windows NTLM relaying attacks

  Authentication flaw in microsoft SMB protocol

  @stake Advisory: NTLM Replaying via Windows 2000 Telnet Client (A 091400-1)

  Security Bulletin (MS00-067)

  Win2k Telnet.exe malicious server vulnerability

From:3APA3A <3APA3A_(at)>
Subject:Outlook Express and SPA (Secure Password Authentication)

Topic:                    Outlook Express and SPA (Secure Password
Author:                   3APA3A <[email protected]>
Affected Software:        Internet Explorer 5.5, 6.0
Vendor:                   Microsoft
Status:                   Informational

1. Background:

Outlook  Express  doesn't support CRAM-MD5 or APOP and there is only one
way  to  authenticate  user  on  POP3/IMAP/SMTP  server  without sending
cleartext   password   on   the   wire.   It's   SPA   (Secure  Password
Authentication).  It  usually works with Exchange, but also supported by
few 3rd party mail servers.

There are 2 issues about this kind of authentication to treat it as even
more dangerous then clear text outside organization's site.

2. Problems description:

Secure Password authentication is in fact NTLM v.1.

NTLM   v.1   is   known   to   be  vulnerable  to  M-i-t-M  attacks.  If
Man-In-The-Middle  can  impersonate  mail  server he can connect to mail
server (or another resource, which supports NTLMv1 authentication - such
as SMB server or Web server).

| Impersonated |
|    Mail      |         +------------+  challenge  +--------+
|   Server     |         |   Man In   | --------->  | Client |
+--------------+         | The Middle | <--------   +--------+
                        +------------+  response
+--------------+  response|  ^
|  Corporate   | <--------+  |
| file server  | ------------+
+--------------+   challenge

Client  will  think  it's  authenticated by Mail Server while in fact it
gives  attacker  access  to  corporate  file server. It's common NTLM v1
problem   which  was  eliminated  in  NTLM  v2  by  introducing  mutual

Then  SPA  selected  for  (lets  say  POP3)  account in Outlook Express,
Outlook  Express  doesn't  use  username/password  provided  in  account
information.  First,  it  tries  to  connect  to POP3 server with user's
system  (for  example  Windows  NT domain) logon credentials. Only if it
fails  Outlook  Express  asks user for username/password and stores this
password  in users's password list (as Windows does for NetBIOS shares).
It will use single username/password for all Outlook Express accounts on
the  same server. Even if you delete account and create new one you will
connect  to  server  with  old  username and password (if server doesn't
report error).

If user uses outside POP3 server, malicious POP3 server operator can use
this  behavior  to  connect  to  corporate  resources with user's domain

+-------------+  challenge  +--------+
| Malicious   | --------->  | Client |
| POP3 Server | <--------   +--------+
+-------------+  response
         ^ |
         | |   response
         | +--------------> +-----------+
         |     challenge    | Corporate |
         +----------------- |  Server   |

Internet  Explorer  security settings doesn't change behavior of Outlook
Express for this issue. By using little tricks with "AUTH NTLM" protocol
server   can   cause   few   challenge/response   exchanges  during  one
authentication  attempt  without  prompting user. It will give malicious
server operator ability to request few password-protected resources (for
example from corporate web server) during one client authentication.

3. Conclusion

Never use SPA to connect hosts if these hosts are not Exchange server in
your domain.

4. Another products

MS  Outlook  may also be vulnerable but was never tested. IMAP4 and SMTP
authentication was not checked, but believed to be vulnerable.

5.  Vendor

Microsoft  was contacted on October, 5 via [email protected] and gave
no feedback on this issue after October, 17.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod