[14703] in bugtraq
Modifying NT credential and RAZOR's analysis of dvwsrr.dll
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n?= Arce)
Thu Apr 27 12:51:21 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <39078CFC.C260DDD8@core-sdi.com>
Date: Wed, 26 Apr 2000 21:37:23 -0300
Reply-To: =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.bugtraq@CORE-SDI.COM>
From: =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.bugtraq@CORE-SDI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In light of Simple Nomad's post regarding the dvwsrr.dll overflow:
> Date: Mon, 17 Apr 2000 16:06:37 -0500
> From: Simple Nomad <thegnome@NMRC.ORG>
> To: BUGTRAQ@SECURITYFOCUS.COM
>
>
> BindView RAZOR Team Analysis of DVWSSR.DLL Risks
[snip]
>
>
> 5. In theory if you can get the hash of a user with the access, you can
> exploit the buffer overflow. This is called "passing the hash", and
> essentially means that you use the hash without cracking the password to
> authenticate to the target server. See
> http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0
> for details from RAZOR's Paul Ashton on the basis for this technique. This
> technique is currently one of the stars of Foundstone's "Hacking Exposed:
> Live" presentations being put on by George Kurtz and Eric Schultze at
> security shows around the globe. Certainly in theory this could be adapted
> to this exploit.
The details of the above 'technique' are described in Hernan Ochoa's
paper
published in the Guest Feature Forum at Security Focus:
<http://www.securityfocus.com/templates/forum_message.html?forum=2&head=1512&id=1512>
(warning: the URL might be wrapped by your viewer)
It is also available at our site:
<http://www.core-sdi.com/papers/NTcred.html>
-ivan
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Ivan Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================
--- For a personal reply use iarce@core-sdi.com
