Also found and demonstrated by dildog at defcon 3 years ago. So don't hold your breath waiting for that patch. Dave Aitel Immunity, Inc. http://www.immunitysec.com/ On 19 Apr 2003 13:24:33 -0000 <seclabat_private> wrote: > > > Detailed information: > http://seclab.ce.aut.ac.ir/vreport.htm > > Summary > ======= > Microsoft uses SMB Protocol for “File and Printer sharing service” in > all versions of Windows. Upon accessing a network resource, NTLM > Authentication is used to authenticate the client on the server. When > a logged-in user requests for a network share on the server, Windows > automatically sends the encrypted hashed password of the logged-in > username to the target SMB server before prompting for password. > Although the hashed password is not sent in plaintext format, and it > is encrypted by the server challenge, a malicious SMB Server could use > this information to authenticate on the client machine and in many > cases, gain full control over the shared objects of the client such as > C$, etc. > ... > Exploit > ======= > We will publish the exploit code after a patch be created by software > vendor.
This archive was generated by hypermail 2b30 : Sat Apr 19 2003 - 09:50:06 PDT