Re: Authentication flaw in microsoft SMB protocol

From: Dave Aitel (dave@immunitysec.com)
Date: 04/19/03

  • Next message: Matthew Murphy: "Race in XP SCM Service Shutdown Mechanism"
    Date: Sat, 19 Apr 2003 12:11:33 -0400
    From: Dave Aitel <dave@immunitysec.com>
    To: bugtraq@securityfocus.com
    
    

    Also found and demonstrated by dildog at defcon 3 years ago. So don't
    hold your breath waiting for that patch.

    Dave Aitel
    Immunity, Inc.
    http://www.immunitysec.com/

    On 19 Apr 2003 13:24:33 -0000
    <seclab@ce.aut.ac.ir> wrote:

    >
    >
    > Detailed information:
    > http://seclab.ce.aut.ac.ir/vreport.htm
    >
    > Summary
    > =======
    > Microsoft uses SMB Protocol for “File and Printer sharing service” in
    > all versions of Windows. Upon accessing a network resource, NTLM
    > Authentication is used to authenticate the client on the server. When
    > a logged-in user requests for a network share on the server, Windows
    > automatically sends the encrypted hashed password of the logged-in
    > username to the target SMB server before prompting for password.
    > Although the hashed password is not sent in plaintext format, and it
    > is encrypted by the server challenge, a malicious SMB Server could use
    > this information to authenticate on the client machine and in many
    > cases, gain full control over the shared objects of the client such as
    > C$, etc.
    >
    ...
    > Exploit
    > =======
    > We will publish the exploit code after a patch be created by software
    > vendor.


  • Next message: Matthew Murphy: "Race in XP SCM Service Shutdown Mechanism"