Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: hack2497.htm

Microsoft ISA Server Authentication Bypassing
Microsoft ISA Server Authentication Bypassing


Microsoft ISA Server Authentication Bypassing


This weakness is tested in a network environment where Microsoft ISA

server is configured as an Internet proxy server and the users are

required to provide appropriate user name and the password to access the


In HTTP 1.1, the Keep-Alive connections connection remains active unless

the user closes the internet browser. In case of IE once the user closes

all the open IE windows, the Keep-Alive sessions closes. Hence, every

new IE opened will ask the user to enter UserID and Password to

authenticate to the proxy server (if the proxy requires authentication).

But there is a way to bypass this authorization. Since, IE caches the

user's authorization details without asking the user and it can be

reused by any malicious user even though all the IE window is closed to

bypass the proxy authentication.

I have tested this on MS Win2K as the client and MS ISA as the proxy

server. Find below the details.  

There are two ways the user can access Internet in an authorised proxyed


Case 1

The user can save the password by selecting the "save password"


in the password dialog box and can use the same cached password to

access internet. Each time the user opens a new IE window he/she will be

prompted with the password dialog box where the cached password will

appear to be in asterisk ("*") form. The users just have to press


to visit the desired site.  

Case 2

In this case the user doesn't save the password and preferred to enter

the password each time he/she opens a new IE window. 

Now the bug is there in both the cases but I shall talk about case 2

scenario where actually the password is not saved. In case 2, the user

would be prompted with a password dialog box each time he/she opens a

new IE window to browse any site. But this can be bypassed by using an

existing session of a user with the ISA server. Most of the case the

user's browser session with the ISA doesn't terminate unless the IE

cache is cleaned properly. But here comes the bug where the attacker

actually can make use of the existing browser's WWW-Authorization

response of the previous user and can open multiple IE window and can

browse sites of his/her choice without even entering any user name and


What the malicious user has to do is to create a small html file with a

link of the desired site. For example the malicious user wants to visit without authorization. Then the sample html file 

would look something like:

===== POC 1 =====

Browse without authorization --- Sample script by 


Click here to visit


Now once the html file is created the malicious user has to open this

file in an IE window and "right click" on the link and "open

it in a new

window". This would open the desired site in the new window without

asking any "user name" or "password" even if the password

is not cached.

Once can also write a small Batch file to open a desired site without

proper authorisation. Find the batch file below: 

==== POC 2 =====

echo off

echo Browse Internet without authorisation --- by

start /B "%ProgramFiles%\Internet Explorer\iexplore.exe" 



Note: But if the malicious tries to visit the same site by opening a new

IE window then he/she will be prompted with a password dialog box which

cannot be bypassed without authorization.

Debasis Mohanty 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH