MS04-011 question
Andrew Bartlett
abartlet at samba.org
Fri May 7 23:21:12 GMT 2004
On Sat, 2004-05-08 at 05:19, Xyster ! wrote:
> I've read quite a bit about MS04-011 NTLMv2 problems but no one has really
> spelled out what the problem actually is.
>
> >From looking at traces it appears a patched Windows box generates broken
> NTLMv2 authentication blobs. Instead of sending, as part of the blob, the
> full NetBIOS domain name and NetBIOS host name, it sends the first two
> letters of the domain name; one letter as the domain name and the second
> letter as the host name.
> Some experimentation has shown that Windows servers will reject these broken
> blobs. In other words, a Windows client using NTLMv2 will be rejected by a
> Windows server.
Ouch! Samba doesn't try and decode the blob, and intermediate windows
servers (domain members) will not, so this is not as much of an issue on
Samba networks ;-)
> Of course, this is not normally a problem since Windows will usually use
> NTLMSSP when authenticating and imagine it is a different code path in
> Windows.
When using NTLMSSP, it does not need to 'make up' the blob of names, it
can just copy it from what the server provided.
> Does anyone else see this or is my Windows client playing games with me?
I've not seen this myself, but I've honestly not been looking at the
NTLMv2 side of things.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040508/b3242e5c/attachment.bin
More information about the samba-technical
mailing list