Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CIFS Changes

From: pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)
Date: Fri, 16 May 1997 14:57:35 PDT

A lot of people have been asking me about Whether the new CIFS implementation
in SP3 is vulnerable.  Number one, it is not enabled by default, but even
if it was, I suspect it is just as vulnerable EVEN IF THERE IS MESSAGE
SIGNING!

I have not yet had time to test it, but here is the MS whitepapers on the
new protocol.

It does not make a difference whether signing is enabled or disabled.
Signing does not come into play until AFTER the password has been exchanged.
So the users password can still be grabbed using a Web Site.


Exceperts take from "CIFS-Auth" dated Mar 28 Draft 4 section 1.4
From Microsoft's FTP Site.

1.4 Session authentication protocol

1. The client computes the session keys from the user's password,
initializes its sequence number, and sends a session negotiation request
to the server.

C:        Ks  = MD4(P(U))
          Ka = [Ks]<7>
          Kb = [Ks]<7:7>
          Kc = [Ks]<2:14>, Z(5)


Above just means the client has a Hashed NT Password.  Usually stored in the
SAM database in the registry.



C->S:     Mneg

2. The server responds with the features negotiated, and a challenge:



The server sets CS=Z(8)      (challenge is fized to 8 bytes of zeros)
The server could even select the most secure protocols:
        NEGOTIATE_SECURITY_USER_LEVEL         ||   (not share level)
        NEGOTIATE_SECURITY_CHALLENGE_RESPONSE ||   (no plaintext passwords)
        NEGOTIATE_SECURITY_SIGNATURES_ENABLED ||   (will do the MAC thing)
        NEGOTIATE_SECURITY_SIGNATURES_REQUIRED     (insist on MAC thing)
And send it off as options to Mnegr to the client.


S->C:     Mnegr, CS

3. The client computes a response to the challenge. It computes the MAC
key, and the MAC of the message, and  send the user name, challenge
response, and session request parameters to the server.  Its message
uses a sequence number of 0, and it expects a sequence number of 1 to be
used in the response.

C:        R = {CS}Ka, {CS}Kb, {CS}Kc
          Km = Ks, R
          SN = 0
          MC = [MD5(Km, SN, Msess, U, R)]<8>
          SN = 1

C->S:     Msess, U, R, MC


Notice that the client gives R to server, R is the same thing I have been
collecting on my web page.  Easy enough to crack.

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee () ee washington edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842
Previous By Date Next
Previous By Thread Next

Current thread: