Dear Alexandr Polyakov, AFAIK, SMB NTLM relaying was closed with MS08-068 and Kerberos was never possible to relay. Are you sure authentication is really possible with patched windows systems? --Monday, April 25, 2011, 12:21:57 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: AP> Digital Security Research Group [DSecRG] Advisory #DSECRG-11-018 AP> Application: Kaspersky Administration Kit AP> Versions Affected: from 6.0 AP> Vendor URL: http://www.kaspersky.com AP> Bug: Design flaw AP> Exploits: YES AP> Reported: 22.01.2011 AP> Vendor response: 22.01.2011 AP> Solution: disable IP scan AP> Date of Public Advisory: 14.03.2011 AP> Authors: Alexey Sintsov of Digital Security Research Group [DSecRG] AP> Description AP> *********** AP> Service account used for Kaspersky Administration Kit and it AP> functional make possible attack on other hosts AP> in a corporate network. AP> Details AP> ******* AP> Functional called "Scan IP subnets" is enabled by default in Kaspersky Administration Kit 6. AP> This function makes ICMP scan and also tries to use SMB AP> protocol by using service account which can be AP> used to run SMBrelay attack and gain full control on secured AP> network. By default "Scan IP subnets" AP> scans subnet every 7 hours. Attacker just needs to run AP> SMBRelay tool and wait. Attack is possible AP> because Kaspersky service account have Administrative rights on hosts in corporate network. AP> It's mean that attacker can attack any server or workstation AP> where this service account has rights. AP> Fix Information AP> *************** AP> 1) Do not start Administration Server service under a Domain Administrator account AP> or a domain account member of local administrators group on other hosts. AP> 2) Disable "Scan IP subnets" AP> http://support.kaspersky.com/faq/?qid=208284121 AP> References AP> ********* AP> http://dsecrg.ru/pages/vul/show.php?id=318 AP> http://dsecrg.blogspot.com/2011/03/smbrelay-bible-4-smbrelay-with-no.html AP> About DSecRG AP> ******* AP> The main mission of DSecRG is to conduct researches of business AP> critical systems such as ERP, CRM, SRM, BI, SCADA, banking software AP> and others. The result of this work is then integrates in ERPSCAN AP> security scanner. Being on the top edge of ERP and SAP security AP> DSecRG research helps to improve a quality of ERPSCAN consulting AP> services and protects you from the latest threads. AP> Contact: research [at] dsecrg [dot] com AP> http://www.dsecrg.com AP> About ERPScan AP> ******* AP> ERPScan is an innovative company engaged in the research of ERP AP> security and develops products for ERP system security assessment. AP> Apart from this the company renders consulting services for secure AP> configuration, development and implementation of ERP systems, and AP> conducts comprehensive assessments and penetration testing of custom AP> solutions. AP> Our flagship products are "ERPScan Security Scanner for SAP" AP> and service "ERPScan Online" which can help customers to perform AP> automated security assessments and compliance checks for SAP AP> solutions. AP> “ERPScan Security Scanner for SAP” is an innovative product for AP> integrated assessment of SAP platform security and standard AP> compliance. AP> Contact: info [at] erpscan [dot] com AP> http://www.erpscan.com AP> Polyakov Alexandr. PCI QSA,PA-QSA AP> CTO Digital Security AP> Head of DSecRG AP> ______________________ AP> DIGITAL SECURITY AP> phone: +7 812 703 1547 AP> +7 812 430 9130 AP> e-mail: a.polyakov@xxxxxxx AP> www.dsec.ru AP> www.dsecrg.com www.dsecrg.ru AP> www.erpscan.com www.erpscan.ru AP> www.pcidssru.com www.pcidss.ru AP> ----------------------------------- AP> This message and any attachment are confidential and may be AP> privileged or otherwise protected AP> from disclosure. If you are not the intended recipient any use, AP> distribution, copying or disclosure AP> is strictly prohibited. If you have received this message in AP> error, please notify the sender immediately AP> either by telephone or by e-mail and delete this message and AP> any attachment from your system. Correspondence AP> via e-mail is for information purposes only. Digital Security AP> neither makes nor accepts legally binding AP> statements by e-mail unless otherwise agreed. AP> ----------------------------------- -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Неприятности начнутся в восемь. (Твен)
