[ISN] Exploit devastates WinNT/2K security

From: InfoSec News (isnat_private)
Date: Thu Apr 19 2001 - 13:25:48 PDT

  • Next message: InfoSec News: "Re: [ISN] Spy plane incident raises concerns over access to secret U.S. technology"

    http://www.theregister.co.uk/content/8/18370.html
    
    By: Thomas C Greene in Washington
    Posted: 19/04/2001 at 09:03 GMT
    
    An application called SMBRelay, written by cDc's Sir Dystic, exploits
    a design flaw in the SMB (Server Message Block) protocol on Win NT/2K
    boxes, easily enabling an attacker to interpose himself between the
    client and the server.
    
    The program enables access to the server using the client's
    authentication by acting as a 'man in the middle' to both. For this
    reason it's quite difficult to defend against, unless a user blocks
    port 139 -- which is needed for NetBIOS sessions and therefore not
    practical for networked boxes -- or by using NTLMv2 which employs
    128bit encrypted keys and eliminates LANMAN (NT LAN Manager, or NTLM)
    hashes for NT clients.
    
    However, if port 139 is available and the network is enabled without
    NTLMv2 -- a situation which probably describes hundreds of thousands
    of boxes connected to the Net -- the SMBRelay program will likely
    work.
    
    In that case, "the target's client is disconnected and the attacker
    remains connected to the target's server as whatever user the target
    is logged in as, hijacking the connection," the author explains.
    
    "SMBRelay collects the NTLM password hashes transmitted and writes
    them to hashes.txt in a format usable by L0phtcrack so the passwords
    can be cracked later."
    
    A second version of SMBRelay which works across any protocol NetBIOS
    is bound to is also available on the SMBRelay Web page cited above.
    
    Backward compatibility
    
    MS may tout itself as the world's most 'forward-looking' company and
    crown jewel of the New Economy, but its continuing support of a
    ten-year-old protocol with serious design flaws is very much about
    ancient history.
    
    "The problem is that from a marketing standpoint, Microsoft wants
    their products to have as much backward compatibility as possible; but
    by continuing to use protocols that have known issues, they continue
    to leave their customers at risk to exploitation," Sir Dystic told The
    Register.
    
    "These are, yet again, known issues that have existed since day one of
    this protocol. This is not a bug but a fundamental design flaw. To
    assume that nobody has used this method to exploit people is silly; it
    took me less than two weeks to write SMBRelay," he added.
    
    It's backward compatibility that has MS in a trap now. "NTLMv2 was
    created to address many of these issues, and if Windows came
    configured to use only NTLMv2 these would not be issues, unless the
    user knowingly opened himself up to allow communication with older
    operating systems," Sir Dystic noted.
    
    And here's an additional alarming detail: "Do not assume that because
    you have a firewall you are safe, because as soon as a host inside
    that firewall is compromised, even a UNIX or Win9x box, this method
    can be used to compromise any host that is within broadcast range, on
    the same LAN," he warns.
    
    Home users should disable NetBIOS and make sure their firewall is
    blocking traffic to and from port 139. Also, "if a box is only used as
    a workstation, disable the server service," Sir Dystic suggests.
    
    However, if for some reason it's necessary for you to use the many
    thrilling features of Windows networking without NTLMv2, then there is
    absolutely nothing you can do but pray.
    
    [The SMB Man-In-The-Middle-Attack site:
    http://pr0n.newhackcity.net/~sd/smbrelay.html ]
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 03:49:45 PDT