Outlook Express and SPA (Secure Password Authentication)

Type securityvulns
Reporter Securityvulns
Modified 2001-10-20T00:00:00


Topic: Outlook Express and SPA (Secure Password Authentication) Author: 3APA3A <3APA3A@security.nnov.ru> Affected Software: Internet Explorer 5.5, 6.0 Vendor: Microsoft Status: Informational

  1. Background:

Outlook Express doesn't support CRAM-MD5 or APOP and there is only one way to authenticate user on POP3/IMAP/SMTP server without sending cleartext password on the wire. It's SPA (Secure Password Authentication). It usually works with Exchange, but also supported by few 3rd party mail servers.

There are 2 issues about this kind of authentication to treat it as even more dangerous then clear text outside organization's site.

  1. Problems description:

(1) Secure Password authentication is in fact NTLM v.1.

NTLM v.1 is known to be vulnerable to M-i-t-M attacks. If Man-In-The-Middle can impersonate mail server he can connect to mail server (or another resource, which supports NTLMv1 authentication - such as SMB server or Web server).

+--------------+ | Impersonated | | Mail | +------------+ challenge +--------+ | Server | | Man In | ---------> | Client | +--------------+ | The Middle | <-------- +--------+ +------------+ response +--------------+ response| ^ | Corporate | <--------+ | | file server | ------------+ +--------------+ challenge

Client will think it's authenticated by Mail Server while in fact it gives attacker access to corporate file server. It's common NTLM v1 problem which was eliminated in NTLM v2 by introducing mutual authentication.

(2) Then SPA selected for (lets say POP3) account in Outlook Express, Outlook Express doesn't use username/password provided in account information. First, it tries to connect to POP3 server with user's system (for example Windows NT domain) logon credentials. Only if it fails Outlook Express asks user for username/password and stores this password in users's password list (as Windows does for NetBIOS shares). It will use single username/password for all Outlook Express accounts on the same server. Even if you delete account and create new one you will connect to server with old username and password (if server doesn't report error).

If user uses outside POP3 server, malicious POP3 server operator can use this behavior to connect to corporate resources with user's domain credentials.

+-------------+ challenge +--------+ | Malicious | ---------> | Client | | POP3 Server | <-------- +--------+ +-------------+ response ^ | | | response | +--------------> +-----------+ | challenge | Corporate | +----------------- | Server | +-----------+

Internet Explorer security settings doesn't change behavior of Outlook Express for this issue. By using little tricks with "AUTH NTLM" protocol server can cause few challenge/response exchanges during one authentication attempt without prompting user. It will give malicious server operator ability to request few password-protected resources (for example from corporate web server) during one client authentication.

  1. Conclusion

Never use SPA to connect hosts if these hosts are not Exchange server in your domain.

  1. Another products

MS Outlook may also be vulnerable but was never tested. IMAP4 and SMTP authentication was not checked, but believed to be vulnerable.

  1. Vendor

Microsoft was contacted on October, 5 via secure@microsoft.com and gave no feedback on this issue after October, 17.