Re: NT4.0 SP3 Still vulnerable

Aaron Spangler (pokee@MAXWELL.EE.WASHINGTON.EDU)
Fri, 16 May 1997 11:46:59 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thamer Al-Herbish: "UNIX domain socket (Solarisx86 2.5)"
Previous message: Yuri Volobuev: "Irix and WWW"
Maybe in reply to: Aaron Spangler: "NT4.0 SP3 Still vulnerable"

> From: "Rubens Kuhl Jr." <rkuhljr@pueridomus.br>
> To: <BUGTRAQ@NETSPACE.ORG>
> Cc: "Aaron Spangler" <pokee@maxwell.ee.washington.edu>
> Subject: Re: NT4.0 SP3 Still vulnerable
>
> If this bug wasn't corrected in IE 3.02, which bug has been corrected in IE
> 3.02 that was not available as a fix to IE 3.01 ?

IE 3.01 with all the patches is exactly the same as 3.02 (the patches
were just integrated. Thats all)

> It seems that SMB/CIFS designers still don't believe that is possible to
> get passwords this way. Enhancements are targeting only the security of
> CIFS servers, not the client side.

It is correct they have only been beefing up security on the server
side. However most of the recent posts attack the client.

I spoke with Paul Leech (one of the CIFS designers) on the phone a couple
of weeks ago. He agrees the most recently posted CIFS with message
signing still does not protect against a rogue server from getting the
users password. However he says that future versions might be able to
negotiate to have the client and server be able to choose a more random
challenge. (However to be backward compatable, the server can still
forcefeed the challenge if the server chooses the right compatability
options on startup)

Also Paul said that Future CIFS requests on NT as a client will still
contain the old broken Lanman Hash! He says he cant get rid of it because
many Win 95 clients ONLY speek the Lanman Hash. I asked him why he cant
make an NT only give the NT hash. He said, well what if the NT box
connected to a Win95 server?

So it looks like they wont fix this for quite some time!

> I know, and this makes this bug worse. The only possible fix to such a bug
> is a browser fix, to be requested every day to Microsoft...

I have sent email to MS since day one! They first told me it was a non-
issue. Now they are just ignoring my requests.

> Rubens Kuhl Jr.

Thanks Rubens.

One further note to all:

For those who contact secure@microsoft.com, make sure your email is
professional and friendly. After all, we are not trying to rag on Microsoft,
we are simply trying to build a more secure product so more of us can run it!

- Aaron

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee@ee.washington.edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842

Next message: Thamer Al-Herbish: "UNIX domain socket (Solarisx86 2.5)"
Previous message: Yuri Volobuev: "Irix and WWW"
Maybe in reply to: Aaron Spangler: "NT4.0 SP3 Still vulnerable"