Also found and demonstrated by dildog at defcon 3 years ago. So don't hold your breath waiting for that patch. Dave Aitel Immunity, Inc. http://www.immunitysec.com/ On 19 Apr 2003 13:24:33 -0000 <seclab@ce.aut.ac.ir> wrote: > > > Detailed information: > http://seclab.ce.aut.ac.ir/vreport.htm > > Summary > ======= > Microsoft uses SMB Protocol for ?File and Printer sharing service? in > all versions of Windows. Upon accessing a network resource, NTLM > Authentication is used to authenticate the client on the server. When > a logged-in user requests for a network share on the server, Windows > automatically sends the encrypted hashed password of the logged-in > username to the target SMB server before prompting for password. > Although the hashed password is not sent in plaintext format, and it > is encrypted by the server challenge, a malicious SMB Server could use > this information to authenticate on the client machine and in many > cases, gain full control over the shared objects of the client such as > C$, etc. > ... > Exploit > ======= > We will publish the exploit code after a patch be created by software > vendor.
