Re: CIFS Changes

Aaron Spangler (pokee@MAXWELL.EE.WASHINGTON.EDU)
Fri, 16 May 1997 14:57:35 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Yuri Volobuev: "Irix and WWW"
Previous message: Russ: "Re: NT4.0 SP3 Still vulnerable"

A lot of people have been asking me about Whether the new CIFS implementation
in SP3 is vulnerable. Number one, it is not enabled by default, but even
if it was, I suspect it is just as vulnerable EVEN IF THERE IS MESSAGE
SIGNING!

I have not yet had time to test it, but here is the MS whitepapers on the
new protocol.

It does not make a difference whether signing is enabled or disabled.
Signing does not come into play until AFTER the password has been exchanged.
So the users password can still be grabbed using a Web Site.

> Exceperts take from "CIFS-Auth" dated Mar 28 Draft 4 section 1.4
> From Microsoft's FTP Site.
>
> 1.4 Session authentication protocol
>
> 1. The client computes the session keys from the user's password,
> initializes its sequence number, and sends a session negotiation request
> to the server.
>
> C: Ks = MD4(P(U))
> Ka = [Ks]<7>
> Kb = [Ks]<7:7>
> Kc = [Ks]<2:14>, Z(5)

Above just means the client has a Hashed NT Password. Usually stored in the
SAM database in the registry.

>
> C->S: Mneg
>
> 2. The server responds with the features negotiated, and a challenge:
>

The server sets CS=Z(8) (challenge is fized to 8 bytes of zeros)
The server could even select the most secure protocols:
NEGOTIATE_SECURITY_USER_LEVEL || (not share level)
NEGOTIATE_SECURITY_CHALLENGE_RESPONSE || (no plaintext passwords)
NEGOTIATE_SECURITY_SIGNATURES_ENABLED || (will do the MAC thing)
NEGOTIATE_SECURITY_SIGNATURES_REQUIRED (insist on MAC thing)
And send it off as options to Mnegr to the client.

> S->C: Mnegr, CS
>
> 3. The client computes a response to the challenge. It computes the MAC
> key, and the MAC of the message, and send the user name, challenge
> response, and session request parameters to the server. Its message
> uses a sequence number of 0, and it expects a sequence number of 1 to be
> used in the response.
>
> C: R = {CS}Ka, {CS}Kb, {CS}Kc
> Km = Ks, R
> SN = 0
> MC = [MD5(Km, SN, Msess, U, R)]<8>
> SN = 1
>
> C->S: Msess, U, R, MC

Notice that the client gives R to server, R is the same thing I have been
collecting on my web page. Easy enough to crack.

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee@ee.washington.edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842

Next message: Yuri Volobuev: "Irix and WWW"
Previous message: Russ: "Re: NT4.0 SP3 Still vulnerable"