Bugtraq mailing list archives

Re: Authentication flaw in microsoft SMB protocol

From: Dave Aitel <dave () immunitysec com>
Date: Sat, 19 Apr 2003 12:11:33 -0400

Also found and demonstrated by dildog at defcon 3 years ago. So don't
hold your breath waiting for that patch.

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/ 

On 19 Apr 2003 13:24:33 -0000
<seclab () ce aut ac ir> wrote:



Detailed information:
http://seclab.ce.aut.ac.ir/vreport.htm

Summary
=======
Microsoft uses SMB Protocol for File and Printer sharing service in
all versions of Windows. Upon accessing a network resource, NTLM 
Authentication is used to authenticate the client on the server. When
a logged-in user requests for a network share on the server, Windows 
automatically sends the encrypted hashed password of the logged-in 
username to the target SMB server before prompting for password.
Although the hashed password is not sent in plaintext format, and it
is encrypted by the server challenge, a malicious SMB Server could use
this information to authenticate on the client machine and in many
cases, gain full control over the shared objects of the client such as
C$, etc.

...

Exploit
=======
We will publish the exploit code after a patch be created by software 
vendor.

Current thread:

Authentication flaw in microsoft SMB protocol seclab (Apr 19)
- Re: Authentication flaw in microsoft SMB protocol Dave Aitel (Apr 19)
- <Possible follow-ups>
- RE: Authentication flaw in microsoft SMB protocol Jesper Johansson (Apr 22)
  - Re[2]: Authentication flaw in microsoft SMB protocol 3APA3A (Apr 23)
- Re: Authentication flaw in microsoft SMB protocol Chris Wysopal (Apr 22)