From lkcl@SWITCHBOARD.NET Mon Nov 24 02:14:17 1997
Date: Sun, 12 Oct 1997 16:17:52 +0100
From: Luke Kenneth Casson Leighton
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: login service denial? (NT Domain Authentication Protocol - draft)
while re-implementing the above protocol, i accidentally indicated that the
data length of the MSRPC packet (cifsntdomain.txt, section 3.1 Header:
fragment length and allocation hint) was 0x18 bytes short, namely not
including the header length.
the only packets correctly received were from the lsarpc pipe, and were an
LSA Open Policy packet, to which i responded incorrectly, followed by an
LSA Close, to which i responded correctly.
the next packet to be received was on the NETLOGON pipe. the SMB TRANS2
fields (see cifs6.txt, section 3.13.1) were mostly zero, including the
MaxDataCount field.
by changing and experimenting with the (non-zero) handle returned in the
LSA Open Policy packet (cifsntdomain.txt, section 4.1: POL_HND), i managed
to get the SP1 NT 4.0 Server (configured as a stand-alone server) to chug
at its hard disk for about two minutes, and then come up with a login box
that _only_ contained user / password fields.
typing in _known_ valid (local) user / password entries into this dialog
resulted in a refused login, including the local Administrator username /
password.
fortunately, after a reboot (which had to be done via the reset switch
because the "shutdown" entry was greyed out in the login box with user /
password), normal login service was resumed (dialog box with user /
password / domain).
the POL_HND returned was 4 bytes of zeros, 8 bytes non-zero, 4 bytes of
zeros, 4 bytes non-zeros.
references:
ftp://ftp.microsoft.com/developr/drg/CIFS/cifs6.txt (currently at v1-spec-02)
http://mailhost.cb1.com/~lkcl/cifsntdomain.txt (currently at version 0.011)
http://mailhost.cb1.com/~lkcl/ntdomain.html (more references)
Luke Kenneth Casson Leighton
Lynx2.7-friendly Home Page
"Apply the Laws of Nature to your environment before your
environment applies the Laws of Nature to you"
=-=
From lkcl@SWITCHBOARD.NET Mon Nov 24 02:14:23 1997
Date: Sun, 12 Oct 1997 18:53:25 +0100
From: Luke Kenneth Casson Leighton
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: login service denial? (NT Domain Authentication Protocol - draft)
On Sun, 12 Oct 1997, Luke Kenneth Casson Leighton wrote:
> while re-implementing the above protocol, i accidentally indicated that the
> data length of the MSRPC packet (cifsntdomain.txt, section 3.1 Header:
> fragment length and allocation hint) was 0x18 bytes short, namely not
> including the header length.
[followup: i also reported the fragment length as 65536 times larger than
it really was :-)].
Luke Kenneth Casson Leighton
Lynx2.7-friendly Home Page
"Apply the Laws of Nature to your environment before your
environment applies the Laws of Nature to you"
=-=
From paul@ARGO.DEMON.CO.UK Mon Nov 24 02:14:30 1997
Date: Sun, 12 Oct 1997 18:28:54 +0100
From: Paul Ashton
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: login service denial? (NT Domain Authentication Protocol - draft)
At 16:17 12/10/97 +0100, Luke Kenneth Casson Leighton wrote:
>by changing and experimenting with the (non-zero) handle returned in the
>LSA Open Policy packet (cifsntdomain.txt, section 4.1: POL_HND), i managed
>to get the SP1 NT 4.0 Server (configured as a stand-alone server) to chug
>at its hard disk for about two minutes, and then come up with a login box
>that _only_ contained user / password fields.
>
>typing in _known_ valid (local) user / password entries into this dialog
>resulted in a refused login, including the local Administrator username /
>password.
>
>fortunately, after a reboot (which had to be done via the reset switch
>because the "shutdown" entry was greyed out in the login box with user /
>password), normal login service was resumed (dialog box with user /
>password / domain).
I presume you mean your NT client to the Samba PDC which in your
case happens to be an NT4.0 server?
I had loads of these whilst I was implementing a PDC for the first time.
Loads of invalid RPC return values made NT either crash or refuse to
allow logins to a domain, locally or both and on occasion I couldn't
log in at all withour reinstalling NT. There is so much scope for
denial of service and system compromises than bears thinking about.
It was perhaps a bit worse since I didn't have any spec and did a
lot of guesswork.
I also remember that I could crash internet explorer if I returned
invalid values in the HTTP Authorization: headers when implementing
the password disclosure NT internet explorer hole back in March.
See http://www.argo.demon.co.uk/nt/ntie.html for a description and
a pointer to the C source of the Apache module that exploits it.
Where do you want to crash today?
Paul
--
"Welcome to the SAMBA domain"
|