Vulnerability Development mailing list archives
Modifying NT credential and RAZOR's analysis of dvwsrr.dll
From: core.lists.exploit-dev () CORE-SDI COM (Iván Arce)
Date: Wed, 26 Apr 2000 21:37:25 -0300
In light of Simple Nomad's post regarding the dvwsrr.dll overflow:
Date: Mon, 17 Apr 2000 16:06:37 -0500 From: Simple Nomad <thegnome () NMRC ORG> To: BUGTRAQ () SECURITYFOCUS COM BindView RAZOR Team Analysis of DVWSSR.DLL Risks
[snip]
5. In theory if you can get the hash of a user with the access, you can exploit the buffer overflow. This is called "passing the hash", and essentially means that you use the hash without cracking the password to authenticate to the target server. See http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0 for details from RAZOR's Paul Ashton on the basis for this technique. This technique is currently one of the stars of Foundstone's "Hacking Exposed: Live" presentations being put on by George Kurtz and Eric Schultze at security shows around the globe. Certainly in theory this could be adapted to this exploit.
The details of the above 'technique' are described in Hernan Ochoa's paper published in the Guest Feature Forum at Security Focus: <http://www.securityfocus.com/templates/forum_message.html?forum=2&head=1512&id=1512> (warning: the URL might be wrapped by your viewer) It is also available at our site: <http://www.core-sdi.com/papers/NTcred.html> -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Re: DOS on inetd w/ nmap Clifford, Shawn A (Apr 25)
- Re: DOS on inetd w/ nmap Ron DuFresne (Apr 25)
- Re: DOS on inetd w/ nmap Pete Philips (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Notes crashed Blue Boar (Apr 26)
- <Possible follow-ups>
- Re: DOS on inetd w/ nmap John Bock (Apr 25)