Re: Internet Explorer Bug #4

[dominique.brezinski () CYBERSAFE COM (Dominique Brezinski)]

At 11:21 AM 3/14/97 PST, Aaron Spangler wrote:
[snip]
> ****How it Works******
[snip]
> The modified SMB Server
>
> In order for the client to download the images, the client needs to
> 'logon' to the Lanman server.  Windows NT seems to do this without even
> asking the user for confirmation.  Windows NT simply forwards the username
> and encrypted version of the user's password to the Lanman server. The
> Lanman server code has been modified slightly to record Usernames and
> "Hashed Passwords" of the victims.  Also the code has been modified to
> supply the client with a <b>fixed</b> "Challenge seed value" for password
> encryption.  (Thus making it even easier to decode the client passwords
> in the future.)
> See <a href=nt_pw_dict_attack.txt>NT
> Password Dictionary Attack</a> for where I got the Lanman server idea.

Let us clarify *exactly* what is being sent here:  the modified SMB server
sends a null challenge to the client in a NEG_PROT_RESPONSE message, the
client encrypts (DES by the CIFS spec) the null challenge using a hash of
the user's password (MD4 and/or DES encrypts a known string using a
derivation of the password string as the key to obtain an OWF effect)and
sends it in a SMB_SESSION_SETUP_AND_X. The dictionary attack is quite
possible, but here are the steps that need to be taken: each entry in the
dictionary needs to be hashed using one of the two algorithms mentioned,
the null challenge encrypted with the hash as the key, and then compare the
result against the challenge response the client sent in the
SMB_SESSION_SETUP_AND_X.

> What's the big deal?
>
> First of all, no remote web site should be able to record your username.
> If they do, then can compile junk email lists and sell your name.
> Secondly, if they have information on what your password might be, and
> they know what site you came from, they can gain access to your computer
> or local account.  (Thus compromising your security with you never knowing
> about it.) It is fairly easy to unencrypt a MS password if the challenge
> has set to zero via dictionary attacks.  Sequential search brute force
> attacks work as well if you can guess what types of characters are most
> common in the password.  Yes, it is time consuming, but if your account
> gets hacked, is it really worth it?

A sequential brute force attack would be akin to brute forcing DES, a non
trivial task. I have been playing the lottery by trying to brute force the
RSA DES challenge on my machine, it has been running for weeks and has
covered a trivial portion (hundreds of millions of keys!) of the key space.

Basically the "sequential search" attack Aaron mentions (by narrowing the
key space by limiting the character set) could be all alpha and numeric
combinations (62 possible characters) for an eight char password and it
would take about 90 days on my P133(a P133 will do about 490,000 DES crypts
a second, plus there is some overhead for the hashing, pick MD4 here!) to
go through the key space.  So, an average attack would take 45 days to
recover a password that was only alpha (upper and lower) and numeric.

> It is interesting to note that in theory someone could setup a Lanman server
> that make a simultaneous connection back to the client as a connection
> comes in.  By simply relaying the same challenge and password back to the
> client, the remote server could gain network access to the vulnerable client.

This is false.  When establishing the connection back to the client
machine, the the client while issue its own challenge to the server, so
this will not work.

It *is* interesting to note that if the server claimed to not support
encrypted passwords (SMB dialect sub LanMan 2.x), the client application
will prompt the user for a user name and password.  If the user is stupid
enough to enter the info, the NT or Win95 machine will happily send it
plaintext to the server! Doh!

> <h4> Did you really get my username & hashed password? </h4>
> Take a look at the <a href=passout.txt>log so far.</a> Remember these
passwords are easier to unencrypt because the challenge response is set to
all zeros!
> <hr>
> <address>
> IE BUG #4, by <a href=/staff/spangler.html>Aaron Spangler</a>
> </address>
>
> --
> Aaron Spangler                 EE Unix System Administrator
> Electrical Engineering FT-10        pokee () ee washington edu
> University of Washington            Phone    (206) 543-8984
> Box 352500                             or    (206) 543-2523
> Seattle, WA 98195-2500              Fax      (206) 543-3842
Dominique Brezinski
____________________________________________________
My opinions expressed here, and in any public forum,
are my own and do not represent those of my employer
or its clients.  I am an individual, and I will
retain those rights of free speech granted to me,
regardless of my employment status.