|
|
![]() |
Microsoft security bugs and exploits See also TBTF for 1999-08-30, 1998-02-02, 01-26, 01-19, 1997-11-17, 11-10, 10-20, 08-11, 06-23, 05-22, 05-08, more... |
Microsoft security problems pile up: exploit #8
After the publication of TBTF for 1997-03-21 [1] I updated the archive three times in five days with breaking developments in the Microsoft security situation, including a quick Microsoft response to a note I sent to their security email alias <secure at microsoft dot com>. Please do catch up if you haven't visited the 1997-03-21 issue [1] recently.
The magazine EE Times reports [3] a new Windows NT vulnerability (I will call this security flaw #8 -- see table). Jeremy Allison <jra at cygnus dot com> developed PWdump [4] by reverse-engineering the hashing algorithm (Microsoft's API documentation refers to it as "obfuscation") used by the Windows NT Security Accounts Manager, the heart of the NT security system. PWdump lets a system administrator generate a Unix-style account and password file from the SAM to help administrators manage sites where NT and Unix systems coexist. But Allison called it "a double-edged sword... this is a useful utility for migrating users to Unix systems from Windows NT, but it can also enable people to see all the actual passwords, which until now wasn't possible." To get passwords in plaintext you need to run a "crack" tool on the output of PWdump. One now exists [5]. As Yobie Benjamin <ybenja at ctp dot com> said when Allison sent him the PWdump code, "If somebody wanted to crack an NT server today, the pieces of the puzzle are now all there... all that's missing is intent." Benjamin broke into an NT network in his own lab using a "Trojan Horse" application attached to an email message and sent decoded NT passwords back to the attacking machine. He claims that any computer-literate adolescent with a 386 and a modem could do the same.
Bug | Found by | Date | MSIE vers. | W-95 | W-NT | Damage | Attacks via |
---|---|---|---|---|---|---|---|
#1 | Paul Greene | 2/27 | 3.0, 3.01 | yes | 4.0 | Can run arbitrary program on your PC | .url or .lnk file |
#2 | David Ross | 3/4 | 3.0, 3.01, 3.01a | no | 4.0 w/SP 1 or 2 | Can run program if you double-click, w/no firewall | CIFS |
#3 | Chris Rioux | 3/7 | 3.01 | yes | no | Can run arbitrary program on your PC | .isp file |
#4 | Aaron Spangler | 3/14 | any, or NN | no | yes | Obtains username, hashed password | SMB |
#5 | Paul Ashton | 3/17 | any | no | yes | Obtains username, hashed password, more | NTLM |
#6 | Steve Birnbaum | 3/15 | any | no | yes | Obtains plaintext password | SMB |
Found by | Date | MSIE vers. | W-95 | W-NT | Damage | Attacks via | ||
---|---|---|---|---|---|---|---|---|
not a bug | #7 | Tea Vui Huang | 3/14 | any | no | yes | Can disable IE security if you agree | .reg file |
not a bug | #8 | Jeremy Allison, Jonathan Wilkins | 3/31 | -- | no | yes | Can be used to obtain plaintext passwords if security policy is lax | SAM (PWdump, NTcrack) |
Recently the Times posted an excellent summary article [10] on the Microsoft-targeted security exploits, current as of #5 (i.e., late March). The article states that
[1] <http://www.tbtf.com/archive/1997-03-21.html>
[2] <http://www.tbtf.com/archive/1997-03-09.html>
[3] <http://techweb.cmp.com/eet/news/97/947news/hack.html>
[4] <ftp://samba.anu.edu.au/pub/samba/pwdump/>
[5] <http://www.secnet.com/ntinfo/ntcrack.html>
[6] <http://www.microsoft.com/security/eetimes.htm>
[6a] <http://ntbugtraq.rc.on.ca/response.htm>
[6b] <http://ntbugtraq.rc.on.ca/response2.htm>
[8] <http://nytsyn.com/live/Latest/091_040197_122206_16003.html>
[9] <http://www.ntsecurity.net/security/passworddll.htm>
[10] <http://www.nytimes.com/library/cyber/week/032897microsoft.html>
[11] <http://www.tbtf.com/resource/metarisks-mh.html>
Those fools. Anyone in their right mind can see that triangular-shaped fabric placed over the face and partial torso combined with Nike(TM) sneakers while laying on your back in a western state is the real cause and not the Internet.
I sincerely hope the wider media obtain a clue about what the Net is and is not before Main Street gets terminally rattled and backs away from the whole phenomenon. This month's Internet Surveys [18] show no sign of such a trend, but chew on this straw in the wind: at a party recently I mentioned to a computer-naive acquaintence that I had started a consulting busines focusing on the Internet. The next words out of his mouth were "Oh, I had no idea you were into pornography!"
[12] <http://www.cnn.com/US/9703/27/suicide/index.html>
[13] <http://www2.highersource.org/>
[14] <http://www.news.com/Perspectives/perspectives.html>
[15] <http://www.irish-times.com/irish-times/paper/1997/0331/cmp1.html>
[16] <http://www2.highersource.org/scrapbook/>
[17] <http://www2.highersource.org/mirror-1/index.htm>
[18] <http://www.nua.ie/surveys/WhatsNew.html>
![]() |
Cryptography export policy See also TBTF for 2000-02-06, 1999-10-05, 08-30, 08-23, 08-16, 07-26, 05-22, 05-08, 04-21, 03-01, 01-26, more... |
There seems to be little sentiment in favor of this approach save in the U.S. law enforcement community (and in the British and French governments). Three other crypto-related bills now in Congress would take the country in another direction entirely.
[19] <http://www.crypto.com/clinton/>
[20] <http://www.oecd.org/dsti/iccp/crypto_e.html>
[21] <http://www.crypto.com/clinton/970312_admin.html>
![]() |
German censorship of the Net See also TBTF for 1999-12-16, 1997-04-04, 1996-08-08, 05-31, 02-04, 01-31, 01-22, 01-14, 1995-12-31 |
In protest a group of 95 Austrian ISPs [22] shut down their systems for two hours on 1997-03-25 [23]. From 4:00 to 6:00 pm last Thursday Austria became a black hole in the Net. The page Ein Land geht offline [24] lists 3,613 people who have signed on as supporters of the boycott.
[22] <http://www.internet.at/>
[23] <http://www.via.at/a-offline/provider.htm>
[24] <http://www.ostry.com/a-offline/entry.html>
[25] <http://www.peacefire.org/censorware/CYBERsitter.html>
[26] <http://www.spectacle.org/cs>
[27] <http://www.peacefire.org/censorware/CYBERsitter/articles.shtml>
[28] <http://cgi.pathfinder.com/netly/spoofcentral/censored/>
[29] <http://www.gamblenet.com/>
[30] <http://www.news.com/News/Item/0%2C4%2C7930%2C00.html>
[31] <http://thomas.loc.gov/cgi-bin/bdquery/D?d105:1:./temp/~bdzlWt::|/bss/d105query.html|>
Major expansion of Internet shopping: Wal-Mart, the nation's
largest retail company, will more than double the number of
items (to about 80,000) that will be available to persons who
shop on the Internet, making it possible for online shoppers
to find as many items as they would find in any of Wal-Mart's
2,000 out-of-town discount stores. (Financial Times 27 Mar 97)
[32] <http://www.wal-mart.com/>
![]() |
The Alta Vista search engine See also TBTF for 1997-10-20, 08-11, 04-04, 1996-12-24, 01-14, 1995-12-18 |
The verb "to dis" (from "disrespect") is American urban slang meaning
"to heap scorn upon."
E.Commerce Today -- this commercial publication provided background
information for some of the pieces in this issue of TBTF. For complete subscription
details see <../resource/E.CT.txt>.
RISKS -- read the newsgroup comp.risks or mail risks-request@csl.sri.com
without subject and with message: subscribe . Archive at
<http://catless.ncl.ac.uk/Risks/>.
Red Rock Eater News Service -- mail rre-request@weber.ucsd.edu
without subject and with message: subscribe Your Name . Archive at
<http://communication.ucsd.edu/pagre/archive_help.html>
(email-based). Web home at
<http://communication.ucsd.edu/pagre/rre.html>.
Edupage -- mail listproc@educom.unc.edu without subject and with
message: subscribe edupage Your Name . Web home at
<http://www.educom.edu/>.
TBTF home and archive at <http://www.tbtf.com/>. To subscribe send the message "subscribe" to tbtf-request@world.std.com. TBTF is Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.
TBTF HOME |
CURRENT ISSUE |
TBTF LOG |
TABLE OF CONTENTS |
TBTF THREADS |
SEARCH TBTF |