Bugtraq mailing list archives

Modifying NT credential and RAZOR's analysis of dvwsrr.dll

From: core.lists.bugtraq () CORE-SDI COM (Iván Arce)
Date: Wed, 26 Apr 2000 21:37:23 -0300


In light of Simple Nomad's post regarding the dvwsrr.dll overflow:

Date:              Mon, 17 Apr 2000 16:06:37 -0500
From:              Simple Nomad <thegnome () NMRC ORG>
To:                BUGTRAQ () SECURITYFOCUS COM


BindView RAZOR Team Analysis of DVWSSR.DLL Risks


[snip]



 5. In theory if you can get the hash of a user with the access, you can
exploit the buffer overflow. This is called "passing the hash", and
essentially means that you use the hash without cracking the password to
authenticate to the target server. See
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0
for details from RAZOR's Paul Ashton on the basis for this technique. This
technique is currently one of the stars of Foundstone's "Hacking Exposed:
Live" presentations being put on by George Kurtz and Eric Schultze at
security shows around the globe. Certainly in theory this could be adapted
to this exploit.


The details of the above 'technique' are described in Hernan Ochoa's
paper
published in the Guest Feature Forum at Security Focus:

<http://www.securityfocus.com/templates/forum_message.html?forum=2&head=1512&id=1512>

(warning: the URL might be wrapped by your viewer)

It is also available at our site:
<http://www.core-sdi.com/papers/NTcred.html>

-ivan


--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
IvÃ¡n Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com

Current thread:

Two Problems in IMP 2, (continued)
- - Two Problems in IMP 2 Jose Nazario (Apr 24)
    - Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
  - Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)
  - Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
    - Re: Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 25)
    - Re: Solaris 7 x86 lpset exploit. Andrew Brown (Apr 26)
    - Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
    - Re: Solaris 7 x86 lpset exploit. Len Rose (Apr 26)
    - Re: Solaris 7 x86 lpset exploit. Eugene Ilchenko (Apr 26)
    - Cisco HTTP possible bug: Keith Woodworth (Apr 26)
    - Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
    - Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
    - Re: Alert: Cart32 secret password backdoor (CISADV000427) Knud Erik Højgaard (Mar 30)
    - Re: Solaris 7 x86 lpset exploit. Jor (Apr 27)
    - Re: Solaris 7 x86 lpset exploit. Casper Dik (Apr 28)
- SECURITY: [RHSA-2000:014-10] Updated piranha packages available Cristian Gafton (Apr 24)
- FreeBSD Security Advisory: FreeBSD-SA-00:14.imap-uw FreeBSD Security Officer (Apr 24)

(Thread continues...)