How XSS can lead to a Windows Domain compromise

Many times internal web applications are excluded from the scrutinity that external ones are subjected to. It is often assumed that attackers are on the external side of the network and therefore do not have access to any internal resources. In turn this usually leads to Web Applications being vulnerable to common security flaws such as Cross Site Scripting (XSS) and SQL injection.

An internal attacker who exploits vulnerabilities on an internal web application, or even one that is external and visited frequently by internal employees, has a number of options. Cross Site Scripting is usually used to steal session cookies, deface websites or inject javascript that attempts to exploit browser vulnerabilities. But what if the vulnerable website starts redirecting internal users to a malicious HTTP server on the internal network that asks for the NTLM authentication? What happens is that it will negotiate and send the NTLM credentials!

What is NTLM? (based on this Wikipedia article)

NTLM (NT LAN Manager) (not to be confused with LAN Manager) is a Microsoft authentication protocol used with the SMB protocol. MS-CHAP is similar and is used for authentication with Microsoft remote access protocols. During protocol negotiation, the internal name is nt lm 0.12. The version number 0.12 has not been explained. It is the successor of LANMAN (Microsoft LAN Manager), an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN. NTLM was followed by NTLMv2, at which time the original was renamed NTLMv1.

What can an attacker with NTLM credentials do?

These are a few of the ideas:

• Traditionally attackers would use a password cracker like Cain and Abel to obtain the user’s password from the hash. From there they would proceed to further attacks. However breaking passwords can be a time consuming job.
• With new tools such as Squirtle and Smbrelay3 one no longer needs to obtain the passwords. Instead these attack tools allow malicious users to make use of the NTLM credentials to login as the victim on a target server of their choice. NTLM credentials can then be used on network shares, IMAP servers, SQL servers and any other software that supports this authentication scheme.

Very recently Microsoft published a security patch (MS08-068) that mitigates some of the issues associated with NTLM authentication. This means that if a victim running the latest patches sends his / her NTLM credentials to an attacker’s malicious HTTP server, the attacker can no longer replay these credentials on the victim’s workstation or server. However this patch only protects against this particular scenario, and therefore the attack would still work if the attacker simply accesses a different machine with the victim’s credentials.

What can one do to mitigate this security issue?

From a web application security point of view, it is important to threat internal web applications as part of the attack surface. Although Cross Site Scripting is not the only way of luring victims into automatically sending their NTLM credentials on an internal network, it definitely is one of the most effective. Therefore fixing such vulnerabilities in your internal web applications can help mitigate this and many other attack vectors that may apply to your organization.