azbil

Japanese

English

GO to the azbil Global Site

The photo of a boy and his father who are looking at the screen of pc. Products Company Research In The Media Contact

 

 

Automatically passing NTLM authentication credentials on Windows XP


Windows XP will perform NTLM authentication when connecting to a remote SMB server. This could allow a malicious user to obtain your NTLM authentication credentials without your knowledge.


A malicious user could exploit this behavior by putting a normal Microsoft Word document on a normal IIS and running a rogue SMB server on the same machine. After opening the document (just close it), an XP client with WebClient service would attempt to initiate a SMB session to the server - automatically passing NTLM authentication credentials to the malicious server's owner.


Disable WebClient service at your own risk.


My test environment:

Server: www.xxx.yyy

  • Windows 2000 server with IIS 5.0 by default
  • Place zzz.doc in wwwroot\test folder.

Client:

  • Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and Windows XP SP2 with Microsoft Office 2002 SP3
  • Access http://www.xxx.yyy/test/zzz.doc with Internet Explorer and open with Microsoft Word plug-in.
  • Close it or access another page. Then Windows XP will attempt to access \\www.xxx.yyy\test via SMB.
  • Confirm that a shortcut to \\www.xxx.yyy\test is placed in My Network Places.

(Sep. 2004)


For your reference:

Rainbow tables for NTLM authentication not hashes
http://www.securityfocus.com/archive/1/375137


Additional information about throwing a fixed challenge with SMBRelay; the last part of
http://www.securityfriday.com/tools/NBTdeputy.html


This is how to "Prevent Network Share Shortcuts from Being Added to My Network Places" but does NOT resolve this problem.
Microsoft Knowledge Base Article - 242578


Similar vulnerability
MS00-067
MS01-001


img src="file://\\www.xxx.yyy\test" is also still alive after 7 years

 

 



SecurityFriday TM

(C)Azbil SecurityFriday Co., Ltd. All rights reserved.