SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Authentication Vendors:   Microsoft
Microsoft NTLM Authentication Protocol Flaw Lets Malicious SMB Servers Gain Access to Systems
SecurityTracker Alert ID:  1006608
SecurityTracker URL:  http://securitytracker.com/id/1006608
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 20 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): All versions of Windows
Description:   A vulnerability was reported in the Microsoft NTLM Authentication implementation used by the Windows Server Message Block (SMB) protocol and other services in all Windows operating systems. A remote user acting as a malicious SMB server can gain access to a target user's shared resources.

It is reported that a remote user, acting as an SMB server, can gain access to user-level file and printer sharing services in certain cases. The remote user must entice the target user to connect to the malicious SMB server to exploit the flaw. This can reportedly be achieved in an automatic fashion by sending an HTML page that contains content hosted on the malicious SMB server to the target user (there may be other methods to get the target host to request an SMB connection).

If the target user is already logged in, the target user's host will send a request to the malicious SMB server to attempt to authenticate to that malicious SMB server. Instead of responding with a challenge, the malicious SMB server turns and acts as an SMB client and sends a request to the SMB services on the target user's host. The SMB server on the target user's host will, of course, respond with a challenge, which the malicious SMB client then sends to the malicious SMB server on behalf of the original target host. The malicious SMB server then sends the challenge back to the original target host.

At this point, the target host will perform the proper NTLM authentication steps, encrypting the password with the received challenge, sending the results back to the malicious SMB server. The malicious SMB server returns the results to the malicious SMB client, which then sends the received results to the target SMB server. The target SMB server will then successfully authenticate the malicious SMB client, giving the remote user authenticated access to the target user's shared files and printer resources.

The authors of the report indicate that they have developed exploit code but have not released the code.

Impact:   A remote user with the ability to act as a malicious SMB server can gain access to a target user's SMB shared resources with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(NTLMv2 Corrects the Flaw) Re: Microsoft NTLM Authentication Protocol Flaw Lets Malicious SMB Servers Gain Access to Systems
A fix released in 1998 will prevent this exploit.



 Source Message Contents

Subject:  Authentication flaw in microsoft SMB protocol




Detailed information:
http://seclab.ce.aut.ac.ir/vreport.htm

Summary
=======
versions of Windows. Upon accessing a network resource, NTLM 
Authentication is used to authenticate the client on the server. When a 
logged-in user requests for a network share on the server, Windows 
automatically sends the encrypted hashed password of the logged-in 
username to the target SMB server before prompting for password. Although 
the hashed password is not sent in plaintext format, and it is encrypted 
by the server challenge, a malicious SMB Server could use this information 
to authenticate on the client machine and in many cases, gain full control 
over the shared objects of the client such as C$, etc.

Vulnerable Systems
==================
All versions of Windows including:
Windows XP (confirmed in the lab)
Windows 2000 server/professional (confirmed in the lab)
Windows .NET server (vulnerable but not confirmed)
Windows 9x/Me (vulnerable but not confirmed)

Detail
======
SMB, which stands for Server Message Block, is a protocol for sharing 
files, printers, serial ports, and communications abstractions such as 
named pipes and mail slots between computers. Microsoft uses this Protocol 

When a logged-in user tries to connect to a remote machine network shares, 
for example \\server\myshare, windows automatically sends the login 
information of the logged-in user to the SMB server before asking any 
username or password from the user. At this step, if the authentication 
fails, Windows pops up a window and asks for a username and password.

the plaintext format of the password, nor the hashed password, which is 
stored on the SAM. In fact, the client encrypts the hashed password of the 
user by the challenge it receives from the server and then sends this data 
to the server. This data is called the NT/LM-Response. Server uses the 
locally stored hashed password and uses same way to encrypt the hashed 
password. If the result is equal to the Response sent by the client, then 
the authentication is successful. This is the way NTLM authentication 
works.

It is obvious that sniffing the Network and extracting the Challenge and 
the NT-Response could not help us to find the plaintext passwords. Some 
tools such as L0phtCrack use a brute-force attack to find the plaintext 
password. But, this way is only suitable for short and not complicated 

As mentioned earlier, windows by default sends the NT/LM-Response of the 
logged-in username to the SMB server before asking for any 
username/password. At the first glance, it does not arise any security 
risk, but by using a slightly tricky method, a malicious SMB server could 
use this information to authenticate on the client machine.

The following procedure illustrates the way an Attacking Server uses to 
gain access to a Victim Client. Although in this procedure the attack 
starts by the client request for a network share, it is possible to force 
the client to initiate this connection. As an example, by sending an HTML 
email which contains an object with the SRC attribute pointed to a 
resource on the server, the victim machine will automatically initiates 
the procedure. This procedure contains 10 steps:

1.	The client tries to connect to the Server. It sends a request to 
the attacking SMB server.
2.	Attacking SMB server receives this request, but it does not send 
its own generated challenge to the client, instead it sends a request for 
the attacking client.
3.	The attacking SMB client sends a request to the victim SMB server.
4.	The victim SMB server sends a challenge to the attacking SMB 
client.
5.	Attacking SMB client sends this challenge to the Attacking SMB 
server, and it sends it back to the victim client.
6.	The victim client receives the challenge. It encrypts the 
password, using the received challenge and sends it back to the Attacking 
Server.
7.	The Attacking server sends this response to the Attacking client.
8.	The attacking client sends the received response back to the 
victim server.
9.	The victim server receives the response.
10.	A successful authentication occurs on the victim. At this moment, 
the Attacking client has control over the victim machine.

The subtle idea behind this procedure is to request a challenge from the 
victim server and send it back to victim client whenever the victim 
requests a connection. By this way, the attacking machine could gain the 
NT/LM response of a specified user, and it sends it back to the victim to 
authenticate on victim machine.

Although this procedure is a bit complicated and exploitation requires 
full knowledge about the NTLM and SMB protocols, Open-Source 
implementations of SMB protocol make exploitation much easier. (Thanks to 
Samba).

Points
1.	The attacking machine gains a level of access as equal as the 
logged-in user privileges on the victim machine.
2.	The exploitation will fail, if the victim SMB ports (139/445) are 
closed, or the victim is behind a firewall.
most probably exploitable in various RPC services, which use NT/LM 
authentication.

Solution
========
The best way to fix this vulnerability is that the SMB client refuses the 
challenges (nonce) which are equal to challenges recently sent by SMB 
server.

Authors
=======
This vulnerability has been found and exploited by Salman Niksefat 
(salman@linux.ce.aut.ac.ir) and Haamed Gheibi (haamed@linux.ce.aut.ac.ir), 
B.S students of computer engineering at the university of Amirkabir, 
computer department, network security lab.

Exploit
=======
We will publish the exploit code after a patch be created by software 
vendor.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC