COMMAND

    NTLM

SYSTEMS AFFECTED

    Office 2000, Windows 2000, and Windows Me

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-001.
    The Web Extender Client (WEC) is a component that ships as part of
    Office 2000, Windows 2000, and Windows Me.  WEC allows IE to  view
    and publish files via web  folders, similar to viewing and  adding
    files  in  a  directory  through  Windows  Explorer.   Due  to  an
    implementation  flaw,  WEC  does  not  respect  the  IE   Security
    settings regarding  when NTLM  authentication will  be performed -
    instead,  WEC  will  perform  NTLM  authentication with any server
    that  requests  it.   If  a  user  established  a  session  with a
    malicious user's web site - either  by browsing to the site or  by
    opening  an  HTML  mail  that  initiated  a  session  with it - an
    application on the site could capture the user's NTLM credentials.
    The malicious user could then use an offline brute force attack to
    derive the  password or,  with specialized  tools, could  submit a
    variant of  these credentials  in an  attempt to  access protected
    resources.

    The vulnerability would only  provide the malicious user  with the
    cryptographically  protected  NTLM  authentication  credentials of
    another user.  It would not, by itself, allow a malicious user  to
    gain  control  of  another  user's  computer  or to gain access to
    resources to which that user  was authorized access.  In  order to
    leverage  the   NTLM  credentials   (or  a   subsequently  cracked
    password), the malicious  user would have  to be able  to remotely
    logon to the target system.  However, best practices dictate  that
    remote logon services be blocked  at border devices, and if  these
    practices  were  followed,  they  would  prevent  an attacker from
    using the credentials to logon to the target system.

    Acknowledgment goes to David Litchfield & @stake.

    Web Folders allow  IE 5.x clients  to connect to  an HTTP resource
    (read  server)  and  view  the  contents  of  that  server  in  an
    Explorer-like  interface.   Two  protocols  are  supported  in Web
    Folders; DAV (Distributed Authoring  and Versioning) and WEC  (Web
    Extender Client).  DAV appears to be relatively generic extensions
    to HTTP, whereas  WEC is a  Microsoft Front Page  protocol with FP
    features plus those of DAV.  Not surprisingly, the problems appear
    to only be present in the WEC modules of Web Folders.

    WEC and  DAV are  capable of  performing NTLM  authentication, the
    normal authentication  mechanism for  all NT/W2K  services.   WEC,
    however, does not adhere to the IE Trust Zone settings that should
    normally  control  HTTP-based  authentication.   IE  allows you to
    specify  when  NTLM  authentication  should be performed, normally
    only when connecting to resources internal to your network.   WEC,
    however, will perform NTLM authentication on demand regardless  of
    where the HTTP resource is located  (as seen by the IE Trust  Zone
    model).

    Ergo, its possible  to get an  NTLM challenge/response session  to
    occur with  any site  that requests  it (either  by clicking  on a
    link at  a web  site, or  by an  HTLM-based email  which invokes a
    session on its own).

    The ramifications  of this  are that  your NTLM challenge/response
    session  would   provide  a   remote  attacker   with   sufficient
    information  to  perform  a  brute  force  crack  of  your  NT/W2K
    password (using something like L0phtcrack).

    With  your  userID  and  password  an  attacker  might  be able to
    authenticate  as  you  to  resources  of  yours available to them.
    Internal to your network that  might mean any resource.   External
    to your network (i.e. Internet accessible) that might mean Outlook
    Web  Access,  user  permissioned  IIS  resources,  or  any   other
    resource which relies upon your NT/W2K password.

    With the perceived risk being higher from outside of your network,
    sites which have implemented separate authentication realms  (e.g.
    one userID when inside, a different userID when outside), or those
    that have implemented a 3rd factor to authentication (e.g. SecurID
    tokens, or  even IP  address restrictions)  are less  likely to be
    made vulnerable by such an attack.

    Microsoft advise that WEC is  enabled by default on Windows  2000,
    Windows  ME,   and  systems   with  Office   2000  installed.    A
    pre-requisite is the installation of IE 5.x.  However, any  modern
    environment (Win9x,  NT) might  have WEC  enabled if  the user has
    opted for it during installation of IE 5.x.

    Presumably there is a way to determine, from the registry, whether
    or not WEC is installed  or enabled.  Unfortunately Microsoft  has
    not provided us with  this information (which would  allow Network
    Administrators to more quickly determine whether or not they  have
    any affected clients).

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-001.asp

    for information on obtaining this patch.