To be clear, the issue in "Test A" is the lack of certificate validation. It wasn't immediately clear (poorly worded, IMO) but that's the (only) issue I see in that scenario and that is, indeed, a security issue (allows a MITM attack).
"Test B", however, is not a security issue at all, IMO; instead, it is "working exactly as intended".
> The Apache logs are not even needed without SSL enabled because the first request to the web server includes the username and password in clear text.
If SSL isn't enabled then, yes, of course it does. This may come as a shock to the author but standard IMAP4/POP3 without SSL also sends credentials in the clear (as does -- gasp! -- every other plain-text protocol!)
> Even when SSL is not enabled the client should not be sending the credentials without first verifying that it is a real exchange server.
And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
> Realistically the client should not even send the password before verifying the user exists.
That, however, would be an information disclosure vulnerability (identifying valid usernames on the server). That's why no other mail server in use on the Internet does that either. Not to mention that it's real easy for a malicious attacker (in control of the server) to lie about that too.
Aside: if you're running an Exchange server, set up Autodiscover [0] and all your users need to set up their mail account is their username and password (no server details are needed!). For other (i.e. non-Exchange) mail servers, there's a similar "Autoconfiguration" method that is supported by various mail clients, such as Thunderbird [1].
> To be clear, the issue in "Test A" is the lack of certificate validation. It wasn't immediately clear (poorly worded, IMO) but that's the (only) issue I see in that scenario and that is, indeed, a security issue (allows a MITM attack).
Actually, even this is completely wrong. You are understandably giving a charitable reading to the poorly worded explanation. I have tested this earlier today on an iOS 10.3.3 device and an iOS 11 device, and the TLS certificate is absolutely validated properly.
As you've stated with Test B, yes, if SSL is turned off then the information is indeed sent in plaintext during the account setup. However, I don't know what the purpose of this test was, as this is (as you said) expected behavior.
> And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
umm , yes?? Even a simple check would increase the complexity a successful attack. Yes it could be duplicated , but having a client that just dumps the credential without any verification does not sound like a good idea and is poor programming.
No, underneath the bad writing it appears there is a real problem here. If you go to his simple walkthrough page you get a better understanding: https://leakyx.com/info.php
Credentials are sent BEFORE prompting the user to accept a self signed cert. So it sounds like an attacker can harvest credentials on a rogue wifi by spoofing DNS and using a self-signed cert. I don't have an iOS device so I can't test.
So basically typosquatting? It seems to me that any service that doesn't show the SSL certificate (or the EV name) is vulnerable to this, not just Exchange on iOS.
Edit: It seem it doesn't check the SSL certificate either. But it's super easy to get a valid SSL certificate nowadays, so just checking the SSL certificate for validity wouldn't be enough.
And all this while everyone is paying billions for complex info-sec software that does a lot less then it says on the tin. It's similar to the epidemic problem with non-verified/signed SSH keys where everyone just clicks Ok to any host-key presented. Though a bit more subtle, and something that should have been avoidable with a proper designed protocol.
It's the kind of trivial little thing that gets ignored(along with boring old maintenance tasks like patching infrastructure servers ect.) not despite of but because of all the attention given and budget spend on attending conferences on cyber-warfare and never to be correctly installed(let alone monitored) infosec appliances.
Almost every major hack ever blamed on super advanced state sponsored groups turns out to be someone fumbling a routine update (like what happened with equifax and wannacry) or setting a bad password(guccifer 1+2 etc.) And yet the lesson that gets drawn is never, "lets start following proper procedures for maintenance and training" but "lets reduce the maintenance budget some more by spending on infosec conferences and toys."
So a more realistic scenario might be after gaining access to a company's LAN, or at a public WiFi? Did I read it right, you can force downgrade Exchange clients from TLS to plaintext, essentially?
What more did Apple say on the phone? No rationale given?
No, there is no vulnerability here there is no real way to force downgrade or redirect traffic, iOS will prompt a message asking you to confirm a self signed certificate.....
What the author claims is a vulnerability isn't one in any real sense.
They basically "complain" that the mailbox on the iOS phone doesn't "validates" that the server is a real exchange server, in all honestly neither does outlook, nor most other client-server protocols I know off if the server isn't correct it will fail that's it.
Even if there was a way to downgrade or redirect traffic if you have the ability to do that it's game over, if you can MitM an SSL connection between an iOS device and it's server faking a layer 7 handshake isn't really hard to do at that point.
I see no evidence of a force downgrade, you can see in the screenshots that he configured SSL off. If you configure SSL off, your credentials go over the wire in plaintext. Surprise surprise.
This is a bigger issue because those credentials can be used to authenticate to the Exchange server to download emails or, if they're using Active Directory elsewhere in the enterprise, to VPN in, to log in to servers, so on and so forth.
[+] [-] jlgaddis|8 years ago|reply
"Test B", however, is not a security issue at all, IMO; instead, it is "working exactly as intended".
> The Apache logs are not even needed without SSL enabled because the first request to the web server includes the username and password in clear text.
If SSL isn't enabled then, yes, of course it does. This may come as a shock to the author but standard IMAP4/POP3 without SSL also sends credentials in the clear (as does -- gasp! -- every other plain-text protocol!)
> Even when SSL is not enabled the client should not be sending the credentials without first verifying that it is a real exchange server.
And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
> Realistically the client should not even send the password before verifying the user exists.
That, however, would be an information disclosure vulnerability (identifying valid usernames on the server). That's why no other mail server in use on the Internet does that either. Not to mention that it's real easy for a malicious attacker (in control of the server) to lie about that too.
Aside: if you're running an Exchange server, set up Autodiscover [0] and all your users need to set up their mail account is their username and password (no server details are needed!). For other (i.e. non-Exchange) mail servers, there's a similar "Autoconfiguration" method that is supported by various mail clients, such as Thunderbird [1].
[0]: https://msdn.microsoft.com/en-us/library/office/jj900169(v=e...
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird...
[+] [-] willstrafach|8 years ago|reply
Actually, even this is completely wrong. You are understandably giving a charitable reading to the poorly worded explanation. I have tested this earlier today on an iOS 10.3.3 device and an iOS 11 device, and the TLS certificate is absolutely validated properly.
As you've stated with Test B, yes, if SSL is turned off then the information is indeed sent in plaintext during the account setup. However, I don't know what the purpose of this test was, as this is (as you said) expected behavior.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] dogma1138|8 years ago|reply
[+] [-] creator_lol|8 years ago|reply
umm , yes?? Even a simple check would increase the complexity a successful attack. Yes it could be duplicated , but having a client that just dumps the credential without any verification does not sound like a good idea and is poor programming.
[+] [-] mirashii|8 years ago|reply
[+] [-] mdeeks|8 years ago|reply
Credentials are sent BEFORE prompting the user to accept a self signed cert. So it sounds like an attacker can harvest credentials on a rogue wifi by spoofing DNS and using a self-signed cert. I don't have an iOS device so I can't test.
[+] [-] frlnBorg|8 years ago|reply
[+] [-] jlgaddis|8 years ago|reply
cf. https://leakyx.com.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] DiThi|8 years ago|reply
Edit: It seem it doesn't check the SSL certificate either. But it's super easy to get a valid SSL certificate nowadays, so just checking the SSL certificate for validity wouldn't be enough.
[+] [-] jlgaddis|8 years ago|reply
[+] [-] Stranger43|8 years ago|reply
It's the kind of trivial little thing that gets ignored(along with boring old maintenance tasks like patching infrastructure servers ect.) not despite of but because of all the attention given and budget spend on attending conferences on cyber-warfare and never to be correctly installed(let alone monitored) infosec appliances.
Almost every major hack ever blamed on super advanced state sponsored groups turns out to be someone fumbling a routine update (like what happened with equifax and wannacry) or setting a bad password(guccifer 1+2 etc.) And yet the lesson that gets drawn is never, "lets start following proper procedures for maintenance and training" but "lets reduce the maintenance budget some more by spending on infosec conferences and toys."
[+] [-] MichaelGG|8 years ago|reply
What more did Apple say on the phone? No rationale given?
[+] [-] dogma1138|8 years ago|reply
What the author claims is a vulnerability isn't one in any real sense.
They basically "complain" that the mailbox on the iOS phone doesn't "validates" that the server is a real exchange server, in all honestly neither does outlook, nor most other client-server protocols I know off if the server isn't correct it will fail that's it.
Even if there was a way to downgrade or redirect traffic if you have the ability to do that it's game over, if you can MitM an SSL connection between an iOS device and it's server faking a layer 7 handshake isn't really hard to do at that point.
[+] [-] mirashii|8 years ago|reply
[+] [-] throwaway613834|8 years ago|reply
[+] [-] AaronFriel|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] frlnBorg|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] mavhc|8 years ago|reply
[+] [-] raverbashing|8 years ago|reply
(Or send passwords over TLS)
[+] [-] lawnchair_larry|8 years ago|reply
[+] [-] jlgaddis|8 years ago|reply