IBM客户端安全密码管理器认证信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193295 漏洞类型 设计错误
发布时间 2006-10-05 更新时间 2006-10-06
CVE编号 CVE-2006-5161 CNNVD-ID CNNVD-200610-073
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100047
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-073
|漏洞详情
IBM客户端安全密码管理器允许用户通过指纹认证应用表单。IBM客户端安全密码管理器在处理用户认证信息交互时存在漏洞,远程攻击者可能非授权获取认证信息。IBM客户端安全密码管理器将其配置情况映射到应用程序的"窗口名称"属性,因此恶意的攻击者可以通过钓鱼或跨站脚本等方式诱骗用户访问带有特定标题名称的网页,诱使用户发送认证凭据信息,进而获得非授权访问。
|漏洞EXP
Hello all,

I recently found a security flaw in the design of the IBM Client Security
Password Manager (an application used to authenticate application forms using
fingerprints).

It came to my attention that the application only recognized my e-bank site and
authed against it if i had just created a profile. If i closed the browser and
opened a new one, the IBM Password Manager wouldn''t recognize the e-bank site.

I figured that the password manager mapped its profiles against the "window
name" property of the application.

In this case, the problem was that the bank dynamically changed the window title
to the current date.

Since the IBM Client Security Password Manager authenticates by mapping the
window title information, a malicious user could trick another user into
sending his credentials (by phishing, xss or by other simple methods...)

This is very easy to test:
a) using the IBM Client Security Password Manager, create a new profile for a
site with a static title (for instance, Horde webmail)
b) create a new site with the same window title and host it *anywhere you like*
c) go to that site and authenticate against it with the IBM Client Security
Password Manager application.

If you are using Horde (a portuguese version) you can test it in this page:
http://lms.ispgaya.pt/goodies/ibm/

It is actually ironic that, since the IBM application works this way, a user is
better off using the browsers builtin password manager (since it would detect
that the site isn''t safe / recognized).

Best regards,
+----------------------------------------
| Lus Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Politcnico Gaya
| Rua Antnio Rodrigues da Rocha, 291/341
| Sto. Ovdio ? 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+----------------------------------------

----------------------------------------------------------------
Este email foi enviado via o webmail do ISPGaya
Instituto Superior Politcnico Gaya
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (GNU/Linux)

mQGiBEIbV7ARBACvJuXZEr4R4lN5xBW25YF1+ANIOg073Axak+3cYKSAvKeB3R7V
DB6CBHyGFdkz12UkOnsscFNl/Xhq88zN3HY+nauXOE+FhPR8U6mCfjcYzKZI6Ds7
IY0dSKss+y+lF2cF+X7Pk3/ZctVuf6U+9XkE8WgH81uHyABMJk2g6l9ukwCgpQ8K
aT1z8ss6/6crViYhARYJ95UD/RvIb3cvGv1CKQLifOzuVYgIW3cJ8IKXAaj0jej1
IwgfBWQylqER1bpp6tkXKKe7a8uSXc6FnsrjeIVZ7CE+jzjjk26JOyOBeMs/PTke
FE8lUE762Bpq2W/COOvd0hhMbSezPso62hY0F9IyTzfQEG2qp+AwybVU/3JVeD2b
0BWIA/0UnP14KZk1CUu1WQAK6oXQXu6YA/2KHSx7/oKinoe3IlxvnMmhmvKys+9Q
rCHhKdrs+oOL5DYMDmp8U+BJqsQJTCXSy/CGoqkir9wqC4F1mJ+26GI7v4qh7kcP
KDr/T6QiIke10zj/QrfwouNVfEGiKN853lZ0tT6EvgzoEjelKrQiTHXtcyBNaWd1
ZWwgU2lsdmEgPGxtc0Bpc3BnYXlhLnB0PohbBBMRAgAbBQJCG1ewBgsJCAcDAgMV
AgMDFgIBAh4BAheAAAoJENXZ+CTczFd8zz0An3U23TsDq1WxOdr9Dg2xNN/Clx+o
AJ4+aDugmROM19RAwZmBu8F3Fy08OrkCDQRCG1e3EAgAjpHHgRg+5qiC6e9eAktV
u7pRfFZhwJyqMDKigkJAIN5iDmB49CfFEJVqlAUeHduNgy6kgaI2BlDXxDs0tnG7
CWjjYc+/mwmO3aAMDWp0ca5PUEnQfKZunfekPLLHc26/Lo9RfMfCcodHpVfVuWMt
Bie4GCwiN/Aq4/fiQJ7my1uF1PEZllxi8FpH5+6OidlSY0Vg2T7KAkqmMgNrF2o0
Av5VL23QB+70Ff91FnlcgJQXNPhhG4fGLUiRgBiKjhARTzf5L1GeLtyh/sfw73nm
iKXpbHUkGhX9UhbApzREGmpfh+MZBW8W6YFqys2zoo5ejePGyeIubiHw3sgAiAPd
LwADBQf/RnDjS6oTX8seTr82XgPK5K9ipWtsqi/ysVSPanoDL3c1TbR7KKPLY2fj
lbuOJ6k+WWibD4B5PmMLM00Kpo9xFYcAJTGeIDCykXap7MPDpQPflIxMpYbZXZ3G
GmdBBerihPz8f4iYqWcl/YXsxs8Z5GMxYhOMIU6P/9dGhEBUJb98lPAeJPrnlWby
5P4VrkSC/4PpK93KEjvSSdYxTQOmaJpmMkwNcjDTT+eNftJ/d8JNXHmGw5p1WHBv
2xNKWSQtyrT3GTXLM9AmbhbZtIUegguiaasgxVW+WZsBS0vDU8+GI0Wk96ih10q2
C7DRrmQCjSTPqZhv+qL8EQeUMqoYBIhGBBgRAgAGBQJCG1e3AAoJENXZ+CTczFd8
ySoAn2g7VU0x03UveIfGP6P340EMmoI0AJ9w4I62OY41Y5rHwoDZOgifGniEyw==
=DqCm
-----END PGP PUBLIC KEY BLOCK-----
|参考资料

来源:BID
名称:20308
链接:http://www.securityfocus.com/bid/20308
来源:BUGTRAQ
名称:20061003SecurityflawinIBMClientSecurityPasswordManager
链接:http://www.securityfocus.com/archive/1/archive/1/447577/100/0/threaded
来源:SREASON
名称:1681
链接:http://securityreason.com/securityalert/1681