Automatically passing NTLM authentication credentials on XP
From: urity (urity_at_SECURITYFRIDAY.COM)
Date: Mon, 27 Sep 2004 10:00:00 +0900 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Windows XP will perform NTLM authentication when connecting to a
remote SMB server. This could allow a malicious user to obtain your
NTLM authentication credentials without your knowledge.
A malicious user could exploit this behavior by putting a normal
Microsoft Word document on a normal IIS and running a rogue SMB
server on the same machine. After opening the document (just close
it), an XP client with WebClient service would attempt to initiate a
SMB session to the server - automatically passing NTLM authentication
credentials to the malicious server's owner.
I have already found a web site like this on the Internet but I don't
know the site is malicious or not.
Microsoft stated that this is not serious, so I inform you.
[My test environment]
- Windows 2000 server with IIS 5.0 by default
- Place zzz.doc in wwwroot\test folder.
- Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and
Windows XP SP2 with Microsoft Office 2002 SP3
- Access http://www.xxx.yyy/test/zzz.doc with Internet Explorer and
open with Microsoft Word plug-in.
- Close it or access another page. Then Windows XP will attempt to
access \\www.xxx.yyy\test via SMB.
- Confirm that a shortcut to \\www.xxx.yyy\test is placed in My Network Places.
For more information:
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.