[4179] in bugtraq
Re: Internet Explorer Bug #4
daemon@ATHENA.MIT.EDU (Paul)
Sun Mar 16 16:26:06 1997
Date: Sun, 16 Mar 1997 10:56:46 -0500
Reply-To: Paul <pjjvande@CAYLEY.UWATERLOO.CA>
From: Paul <pjjvande@CAYLEY.UWATERLOO.CA>
X-To: Dominique Brezinski <dominique.brezinski@CYBERSAFE.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.32.19970314182923.00a72100@pop-srvr>
> >It is interesting to note that in theory someone could setup a Lanman server
> >that make a simultaneous connection back to the client as a connection
> >comes in. By simply relaying the same challenge and password back to the
> >client, the remote server could gain network access to the vulnerable client.
>
> This is false. When establishing the connection back to the client
> machine, the the client while issue its own challenge to the server, so
> this will not work
Here is a scenario: before sending the challenge to the victim,
connect to the victim's host and use the challenge given by that host as
the victim's challenge. Then use the victim's response as the response to
the victim's host.
Why would this not work?
Seems to poke a nice big hole into the entire challenge response
mechanism..
- Paul
