[306] in winnt
Alert: Microsoft Security Bulletin (MS99-004) - Blank Password
daemon@ATHENA.MIT.EDU (Jonathan McIndoe Hunt)
Wed Feb 10 17:01:21 1999
Date: Wed, 10 Feb 1999 16:59:06 -0500
To: ntpartners@mit.edu
From: Jonathan McIndoe Hunt <jmhunt@MIT.EDU>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello NT Partners,
Here is a Security Issue with NT that you should know about if you are
running SP4. I have not tried the fix since I am not running SP4.
For more information see Microsoft's Knowledge Base article
http://support.microsoft.com/support/kb/articles/q214/8/40.asp.
Thanks,
Jonathan
>Approved-By: Russ.Cooper@RC.ON.CA
>X-Mailer: Internet Mail Service (5.5.1960.3)
>Date: Mon, 8 Feb 1999 19:12:02 -0500
>Reply-To: Russ <Russ.Cooper@RC.ON.CA>
>Sender: Windows NT BugTraq Mailing List
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
>From: Russ <Russ.Cooper@RC.ON.CA>
>Subject: Alert: Microsoft Security Bulletin (MS99-004) - Blank
Password Lo
> gins
>To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
>
>Microsoft have released a Security Bulletin
>(http://www.microsoft.com/security/bulletins/ms99-004.asp) which
covers
>a potentially serious security breach created as a result of a
>LanManager client (DOS, Windows 3.1, Windows for Workgroups, OS/2, or
>Mac) being used to change a password on a Windows NT 4.0 system that
has
>had SP4 applied.
>
>Due to the fact that these clients do not use an NT Hash during the
>password change process, the NT Hash is stored as a NULL value in the
NT
>SAM. As a result of changes introduced with SP4, when an NT system
(any
>version) connects using an account whose password was previously
changed
>with a LanManager client, that system can provide a blank password
and
>be authenticated.
>
>Therefore the security risk requires three distinct steps in order
for
>you to be at risk;
>
>1. Your NT systems that users are logging into must be version 4.0
and
>have been updated to SP4.
>
>2. One, or more, of your users must have logged into the NT system
and
>changed their password from that client.
>
>3. Someone must subsequently log into the NT system using a valid
userID
>and a blank password.
>
>Obviously if your users are not logging in from DOS, Windows 3.1,
>Windows for Workgroups, OS/2, or Macs, then your NT systems are not
>compromised by this bug. However, the fix should obviously be applied
to
>prevent problems in future.
>
>Microsoft have stated, in the bulletin noted above, that it is NOT
>necessary to have users change their passwords after applying the
fix.
>The data is being stored correctly in the NT SAM, the problem is in
the
>way NT 4.0 SP4 handles null password logins from other NT systems
only
>(any version).
>
>Microsoft have prepared a KB article
><http://support.microsoft.com/support/kb/articles/q214/8/40.asp>
>describing the vulnerability. This article was available when I
checked.
>
>Cheers,
>Russ - NTBugtraq moderator
>
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQA/AwUBNsIBKM/KqE8/LLXXEQI6awCeJZ1YeOX79KxH+brPH+I/2jbXnosAoPLG
lS2/PCcGWgfsz0XqKV9Xw5WY
=h5Du
-----END PGP SIGNATURE-----
