Automatically passing NTLM authentication credentials on XP

From: urity (urity_at_SECURITYFRIDAY.COM)
Date: 09/27/04

Next message: George Monkey: "patch redistribution"

Previous message: k levinson: "Re: Inconsistencies between Windows Updates and AU/SUS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 27 Sep 2004 10:00:00 +0900
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

Windows XP will perform NTLM authentication when connecting to a
remote SMB server. This could allow a malicious user to obtain your
NTLM authentication credentials without your knowledge.

A malicious user could exploit this behavior by putting a normal
Microsoft Word document on a normal IIS and running a rogue SMB
server on the same machine. After opening the document (just close
it), an XP client with WebClient service would attempt to initiate a
SMB session to the server - automatically passing NTLM authentication
credentials to the malicious server's owner.

I have already found a web site like this on the Internet but I don't
know the site is malicious or not.

Microsoft stated that this is not serious, so I inform you.

[My test environment]
Server: www.xxx.yyy
- Windows 2000 server with IIS 5.0 by default
- Place zzz.doc in wwwroot\test folder.
Client:
- Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and
Windows XP SP2 with Microsoft Office 2002 SP3
- Access http://www.xxx.yyy/test/zzz.doc with Internet Explorer and
open with Microsoft Word plug-in.
- Close it or access another page. Then Windows XP will attempt to
access \\www.xxx.yyy\test via SMB.
- Confirm that a shortcut to \\www.xxx.yyy\test is placed in My Network Places.

For more information:
http://www.securityfriday.com/Topics/winxp3.html

Kind regards,
Urity

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

Next message: George Monkey: "patch redistribution"

Previous message: k levinson: "Re: Inconsistencies between Windows Updates and AU/SUS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Authentication flaw in microsoft SMB protocol
... Microsoft uses SMB Protocol for “File and Printer sharing service” in all ... Authentication is used to authenticate the client on the server. ... logged-in user requests for a network share on the server, Windows ...
(Bugtraq)
RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind
... Authenticating off a Windows 2003 ADS DC with Samba/Winbind ... The computer now appears in the "Computers" list on the Windows server. ... SMB servers = "192.168.0.100" ...
(Fedora)
Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
... SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. ... Windows vista and newer Windows comes with a new SMB version named SMB2. ... SMB server, and it's used to identify the SMB dialect that will be used ...
(Full-Disclosure)
Re: Kaseya
... does this problem applies to SMB under Unix servers or Windows only? ... If the "device" is actually a rogue SMB server, ...
(Pen-Test)
RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind[Scanned]
... The server that I'm connecting to is a Windows SBS 2003 machine that I've disabled the SMB signing on. ... I my case I'm using a dual boot machine that also has Windows XP Professional installed - I've not had chance to test a standalone FC3 machine. ... krb5 realm via dns is disabled ...
(Fedora)