Automatically passing NTLM authentication credentials on XP

From: urity (urity_at_SECURITYFRIDAY.COM)
Date: 09/27/04

  • Next message: George Monkey: "patch redistribution"
    Date:         Mon, 27 Sep 2004 10:00:00 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Hello,

    Windows XP will perform NTLM authentication when connecting to a
    remote SMB server. This could allow a malicious user to obtain your
    NTLM authentication credentials without your knowledge.

    A malicious user could exploit this behavior by putting a normal
    Microsoft Word document on a normal IIS and running a rogue SMB
    server on the same machine. After opening the document (just close
    it), an XP client with WebClient service would attempt to initiate a
    SMB session to the server - automatically passing NTLM authentication
    credentials to the malicious server's owner.

    I have already found a web site like this on the Internet but I don't
    know the site is malicious or not.

    Microsoft stated that this is not serious, so I inform you.

    [My test environment]
    Server: www.xxx.yyy
    - Windows 2000 server with IIS 5.0 by default
    - Place zzz.doc in wwwroot\test folder.
    Client:
    - Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and
    Windows XP SP2 with Microsoft Office 2002 SP3
    - Access http://www.xxx.yyy/test/zzz.doc with Internet Explorer and
    open with Microsoft Word plug-in.
    - Close it or access another page. Then Windows XP will attempt to
    access \\www.xxx.yyy\test via SMB.
    - Confirm that a shortcut to \\www.xxx.yyy\test is placed in My Network Places.

    For more information:
    http://www.securityfriday.com/Topics/winxp3.html

    Kind regards,
    Urity

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: George Monkey: "patch redistribution"

    Relevant Pages