[19968] in bugtraq
Re: Security bugs in interactions between IE 5.x,
daemon@ATHENA.MIT.EDU (Tim Hollebeek)
Sat Mar 31 20:04:58 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <4BC10D47D7ACD3119FA800104B1F8836C4A85D@exchange.cigital.com>
Date: Fri, 30 Mar 2001 12:32:01 -0500
Reply-To: Tim Hollebeek <thollebeek@CIGITAL.COM>
From: Tim Hollebeek <thollebeek@CIGITAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> If Guninski is right, and there is a bug involving the Microsoft OLE
> DB Provider for Internet Publishing that allows malicious websites
> to execute queries into sites local to the vulnerable user under that
> user's context then it's more than likely that some of those local
> sites in deed don't request any kind of authentication or then
> authenticate the user automatically using NT Challenge/Response. And
> that would mean clear access past any firewalls into the
> local intranet.
> Sure, you have to know the site names but that's what social
> engineering
> is for.
Or simply guess that it is something common like "mail", "intranet" or
"exchange". Since the attacker has the ability to access the resource
programmatically, testing a set of plausible names until the correct one is
found is possible, and may even have a very high probability of success.
Tim Hollebeek
Research Scientist
Cigital Labs
