Re: Authentication flaw in microsoft SMB protocol

From: Dave Aitel (
Date: 04/19/03

  • Next message: Matthew Murphy: "Race in XP SCM Service Shutdown Mechanism"
    Date: Sat, 19 Apr 2003 12:11:33 -0400
    From: Dave Aitel <>

    Also found and demonstrated by dildog at defcon 3 years ago. So don't
    hold your breath waiting for that patch.

    Dave Aitel
    Immunity, Inc.

    On 19 Apr 2003 13:24:33 -0000
    <> wrote:

    > Detailed information:
    > Summary
    > =======
    > Microsoft uses SMB Protocol for “File and Printer sharing service” in
    > all versions of Windows. Upon accessing a network resource, NTLM
    > Authentication is used to authenticate the client on the server. When
    > a logged-in user requests for a network share on the server, Windows
    > automatically sends the encrypted hashed password of the logged-in
    > username to the target SMB server before prompting for password.
    > Although the hashed password is not sent in plaintext format, and it
    > is encrypted by the server challenge, a malicious SMB Server could use
    > this information to authenticate on the client machine and in many
    > cases, gain full control over the shared objects of the client such as
    > C$, etc.
    > Exploit
    > =======
    > We will publish the exploit code after a patch be created by software
    > vendor.

  • Next message: Matthew Murphy: "Race in XP SCM Service Shutdown Mechanism"

    Relevant Pages

    • Re: 5.3-RELEASE: WARNING - WRITE_DMA interrupt timout
      ... My problem is not related to a SATA controller. ... Everything works pretty well on this server. ... the qmail MTA, an otherwise pretty powerful email program. ... I'm going to apply a patch to qmail in a few days. ...
    • Re: KB917537 Failing
      ... four days after the patch released. ... mature server OS, an enterprise-class messaging system, and automated ... if you hit the "Restart" button ... here as I had assumed this would be a common problem.. ...
    • Re: ER problem / bug? in 11.50.UC3
      ... The engineer develops a patch and performs unit testing to verify that the patch is working. ... The staging branch is built nightly and goes through some 10 hours of automated testing daily. ... catch that you used an uppercase letter when defining the server. ... not necessarily those of the Fonterra Co-operative Group. ...
    • Re: FOLLOW UP : Forms Authentication Randomly Times Out (Windows 2003)
      ... Well there goes my theory on the patch. ... "Joe Audette" wrote in message ... > It doesn't look like we have that patch on our server. ... > had to scrap the automatic re-direction to login from the ...
    • Re: April Security Patches and SQL Server
      ... to track down your problems with the patch. ... > find my original post of 4/22. ... > on Win2k Server sp4). ... > these patches to the server. ...