Bugtraq mailing list archives
Internet Explorer Bug #4
From: pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)
Date: Fri, 14 Mar 1997 11:21:30 PST
Included below is IE Bug#4 I would like to post. It can be found at: http://www.ee.washington.edu/computing/iebug/ Internet Explorer Exploit #4 The exploit works for both Netscape Navigator 3.01 and Microsoft Internet Explorer 3.01 with Security Patches. (earlier versions should work as well, but have not yet been tested). Look below to see how it works. ****How it Works****** Web page that points to a Rogue SMB Server This web pages contains an embedded image (actually two). The embedded images do not reside in this same directory as this web page. In fact, they reside on a SMB Lanman server (as opposed to an HTTP server). (View the source for this html to get a better idea what I am talking about). I borrowed this idea from the <A href=http://dec.dorm.umd.edu/>Last MS Internet Explorer Security Exploit.</A> The modified SMB Server In order for the client to download the images, the client needs to 'logon' to the Lanman server. Windows NT seems to do this without even asking the user for confirmation. Windows NT simply forwards the username and encrypted version of the user's password to the Lanman server. The Lanman server code has been modified slightly to record Usernames and "Hashed Passwords" of the victims. Also the code has been modified to supply the client with a <b>fixed</b> "Challenge seed value" for password encryption. (Thus making it even easier to decode the client passwords in the future.) See <a href=nt_pw_dict_attack.txt>NT Password Dictionary Attack</a> for where I got the Lanman server idea. What's the big deal? First of all, no remote web site should be able to record your username. If they do, then can compile junk email lists and sell your name. Secondly, if they have information on what your password might be, and they know what site you came from, they can gain access to your computer or local account. (Thus compromising your security with you never knowing about it.) It is fairly easy to unencrypt a MS password if the challenge has set to zero via dictionary attacks. Sequential search brute force attacks work as well if you can guess what types of characters are most common in the password. Yes, it is time consuming, but if your account gets hacked, is it really worth it? It is interesting to note that in theory someone could setup a Lanman server that make a simultaneous connection back to the client as a connection comes in. By simply relaying the same challenge and password back to the client, the remote server could gain network access to the vulnerable client. <h4> Did you really get my username & hashed password? </h4> Take a look at the <a href=passout.txt>log so far.</a> Remember these passwords are easier to unencrypt because the challenge response is set to all zeros! <hr> <address> IE BUG #4, by <a href=/staff/spangler.html>Aaron Spangler</a> </address> -- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee () ee washington edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842
Current thread:
- Exploit for buffer overflow in /bin/eject - Solaris 2.X - Cristian SCHIPOR (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - The Nocturnal Prince (Mar 13)
- Shockwave Security Alert Aleph One (Mar 13)
- Frotpage Extensions and Unix Roland Spatzenegger (Mar 10)
- Re: Frotpage Extensions and Unix M. (Mar 15)
- Re: Shockwave Security Alert Joseph Fish (Mar 14)
- Internet Explorer Bug #4 Aaron Spangler (Mar 14)
- Internet explorer gives your NT password away! Paul Ashton (Mar 14)
- gzip security problem Aleph One (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)
- <Possible follow-ups>
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)