RE: Authentication flaw in microsoft SMB protocol

From: Jesper Johansson (jesperjo@microsoft.com)
Date: 04/21/03

  • Next message: Matthew Murphy: "AN HTTPd Sample Script File Truncation"
    Date: Mon, 21 Apr 2003 14:41:49 -0700
    From: "Jesper Johansson" <jesperjo@microsoft.com>
    To: <bugtraq@securityfocus.com>
    
    

    > -----Original Message-----
    > From: Dave Aitel [mailto:dave@immunitysec.com]

    > Also found and demonstrated by dildog at defcon 3 years ago. So don't
    > hold your breath waiting for that patch.

    You don't need to wait. This is prevented with NTLM v.2, which shipped
    with Windows NT 4.0 SP4 in October 1998. This type of attack is also
    foiled with Kerberos, which is negotiated by default in a Windows 2000
    or higher domain.

    To learn more about using NTLM v.2 and Kerberos, refer to the Windows
    2000 Security Hardening Guide:
    http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp
    downloadable at:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4
    C8F-A9D0-A0201F639A56&DisplayLang=en

    > > When
    > > a logged-in user requests for a network share on the
    > server, Windows
    > > automatically sends the encrypted hashed password of the logged-in
    > > username to the target SMB server before prompting for password.

    This is not correct. Window sends a response to a server challenge. The
    response is computed from the users hash and the challenge sent by the
    server. Passwords, hashed, encrypted or otherwise, are never sent on the
    wire during a connection.

    Jesper M. Johansson
    Security Program Manager
    Microsoft Corporation


  • Next message: Matthew Murphy: "AN HTTPd Sample Script File Truncation"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #154
      ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
      (Focus-Microsoft)
    • Re: EAP-TLS with windows CE
      ... Thanks for the quick response. ... Windows CE then prompts the wireless user for the ... to the AP which gets passed on to an authentication server (RADIUS or ... nothing to do with the contents of the certificate at all. ...
      (microsoft.public.windowsce.platbuilder)
    • Re: Kerberos to NTLM???
      ... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ...
      (microsoft.public.windows.server.networking)
    • SecurityFocus Microsoft Newsletter #49
      ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
      (Focus-Microsoft)
    • ~~~~~~~~~~~~~~ CANNOT FIND ~~~~~~~~~~~~~~
      ... acrobat cannot find external windows handler ... activesync cannot find exchange server ... aol internet explorer cannot find server ... brother network scanner cannot find pc ...
      (sci.geo.fluids)