[29823] in bugtraq
Re: Authentication flaw in microsoft SMB protocol
daemon@ATHENA.MIT.EDU (Dave Aitel)
Sat Apr 19 12:54:01 2003
Date: Sat, 19 Apr 2003 12:11:33 -0400
From: Dave Aitel <dave@immunitysec.com>
To: bugtraq@securityfocus.com
Message-Id: <20030419121133.59d47cf2.dave@immunitysec.com>
In-Reply-To: <20030419132433.14589.qmail@www.securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Also found and demonstrated by dildog at defcon 3 years ago. So don't
hold your breath waiting for that patch.
Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/
On 19 Apr 2003 13:24:33 -0000
<seclab@ce.aut.ac.ir> wrote:
>
>
> Detailed information:
> http://seclab.ce.aut.ac.ir/vreport.htm
>
> Summary
> =======
> Microsoft uses SMB Protocol for “File and Printer sharing service” in
> all versions of Windows. Upon accessing a network resource, NTLM
> Authentication is used to authenticate the client on the server. When
> a logged-in user requests for a network share on the server, Windows
> automatically sends the encrypted hashed password of the logged-in
> username to the target SMB server before prompting for password.
> Although the hashed password is not sent in plaintext format, and it
> is encrypted by the server challenge, a malicious SMB Server could use
> this information to authenticate on the client machine and in many
> cases, gain full control over the shared objects of the client such as
> C$, etc.
>
...
> Exploit
> =======
> We will publish the exploit code after a patch be created by software
> vendor.
