[17235] in bugtraq
Re: ALERT: Remote Retrieval Of Authentication Data From Internet
daemon@ATHENA.MIT.EDU (Justin King)
Mon Oct 16 15:39:31 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <41E6F719314DD411B722009027DCDB000BD8@EXCHANGE>
Date: Mon, 16 Oct 2000 13:30:20 -0400
Reply-To: Justin King <JKing@GFPGROUP.COM>
From: Justin King <JKing@GFPGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
At the core of this vulnerability is a "feature" I recall reporting to
bugtraq over a year ago.
See:
http://www.securityfocus.com/archive/1/24766
At that time the bugtraq community seemed to deny that there really was a
vulnerability, though I believe someone from Microsoft mentioned they would
suggest the IE team look into it.
It's nice to see someone come up with a fairly convincing exploit.
-Justin
-----Original Message-----
From: Mitja Kolsek [mailto:mitja.kolsek@ACROS.SI]
Sent: Friday, October 13, 2000 11:40 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ALERT: Remote Retrieval Of Authentication Data From Internet
Explorer
=========================================================================
ACROS Security Problem Report #2000-07-22-2-PUB
-------------------------------------------------------------------------
Remote Retrieval Of Authentication Data From Internet Explorer
=========================================================================
PUBLIC REPORT
Affected System(s): Internet Explorer used in web-based systems with HTTP
Basic authentication
Problem: Usernames and passwords can be retrieved remotely
from Internet Explorer
Severity: High
Solution: (see "Advisory" section)
Written: July 22, 2000
Last update: October 13, 2000
Published: October 13, 2000
SUMMARY
=======
Our team has analyzed how popular web browsers could be tricked to reveal
the
cached username:password pairs and discovered a way how this can be done by
a remote attacker even when SSL is used to protect this data while in
transfer over insecure channels like Internet.
As a result, we have identified a weakness in Microsoft's Internet Explorer.
However, it *should not* be assumed that only this product is affected but
rather all vendors of web browsers are urged to review their products for
the identified vulnerability.
Note: We have put quite an effort into notifying these other vendors.
Unfortunately, we got very little response so we are unable to provide the
status of their products in this report.
The purpose of this report is to describe a security problem in IE's
handling
of cached BASIC authentication data and also to provide a workable scenario
for exploiting this, and similar, vulnerabilities.
