Bugtraq mailing list archives
Modifying NT credential and RAZOR's analysis of dvwsrr.dll
From: core.lists.bugtraq () CORE-SDI COM (Iván Arce)
Date: Wed, 26 Apr 2000 21:37:23 -0300
In light of Simple Nomad's post regarding the dvwsrr.dll overflow:
Date: Mon, 17 Apr 2000 16:06:37 -0500 From: Simple Nomad <thegnome () NMRC ORG> To: BUGTRAQ () SECURITYFOCUS COM BindView RAZOR Team Analysis of DVWSSR.DLL Risks
[snip]
5. In theory if you can get the hash of a user with the access, you can exploit the buffer overflow. This is called "passing the hash", and essentially means that you use the hash without cracking the password to authenticate to the target server. See http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0 for details from RAZOR's Paul Ashton on the basis for this technique. This technique is currently one of the stars of Foundstone's "Hacking Exposed: Live" presentations being put on by George Kurtz and Eric Schultze at security shows around the globe. Certainly in theory this could be adapted to this exploit.
The details of the above 'technique' are described in Hernan Ochoa's paper published in the Guest Feature Forum at Security Focus: <http://www.securityfocus.com/templates/forum_message.html?forum=2&head=1512&id=1512> (warning: the URL might be wrapped by your viewer) It is also available at our site: <http://www.core-sdi.com/papers/NTcred.html> -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Two Problems in IMP 2, (continued)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 25)
- Re: Solaris 7 x86 lpset exploit. Andrew Brown (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Len Rose (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Eugene Ilchenko (Apr 26)
- Cisco HTTP possible bug: Keith Woodworth (Apr 26)
- Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Knud Erik Højgaard (Mar 30)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Jor (Apr 27)
- Re: Solaris 7 x86 lpset exploit. Casper Dik (Apr 28)