Bugtraq mailing list archives
Re: Authentication flaw in microsoft SMB protocol
From: Dave Aitel <dave () immunitysec com>
Date: Sat, 19 Apr 2003 12:11:33 -0400
Also found and demonstrated by dildog at defcon 3 years ago. So don't hold your breath waiting for that patch. Dave Aitel Immunity, Inc. http://www.immunitysec.com/ On 19 Apr 2003 13:24:33 -0000 <seclab () ce aut ac ir> wrote:
Detailed information: http://seclab.ce.aut.ac.ir/vreport.htm Summary ======= Microsoft uses SMB Protocol for File and Printer sharing service in all versions of Windows. Upon accessing a network resource, NTLM Authentication is used to authenticate the client on the server. When a logged-in user requests for a network share on the server, Windows automatically sends the encrypted hashed password of the logged-in username to the target SMB server before prompting for password. Although the hashed password is not sent in plaintext format, and it is encrypted by the server challenge, a malicious SMB Server could use this information to authenticate on the client machine and in many cases, gain full control over the shared objects of the client such as C$, etc.
...
Exploit ======= We will publish the exploit code after a patch be created by software vendor.
Current thread:
- Authentication flaw in microsoft SMB protocol seclab (Apr 19)
- Re: Authentication flaw in microsoft SMB protocol Dave Aitel (Apr 19)
- <Possible follow-ups>
- RE: Authentication flaw in microsoft SMB protocol Jesper Johansson (Apr 22)
- Re[2]: Authentication flaw in microsoft SMB protocol 3APA3A (Apr 23)
- Re: Authentication flaw in microsoft SMB protocol Chris Wysopal (Apr 22)