Authentication ....

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Jan 24 17:57:32 GMT 2001


On Wed, 24 Jan 2001, Gerald Carter wrote:

> Luke Kenneth Casson Leighton wrote:
> > 
> > e.g. they fixed the SamrSetUserInfo(info level = 0x17 
> > and 0x18) security bug - they contain user passwords - 
> > but haven't told anyone how they've done it.  i have 
> > better hopes that they've got it right, this time, but 
> > from past experience i remain skeptical.  this time, i 
> > have some rumour/evidence that they consulted some 
> > proper security experts in-house about this one.
> > 
> > lukes
> 
> Given that I've played with the call a good bit lately :)
> I'm curious what the exact security hole is.  Other than 
> the fact that I don't see any 2 way verification that 
> the new password is valid.  i.e. you decrypt the 516 byte
> password buffer, but how do you know that the password
> at the end (minus the length) is actually what the client
> sent.

> Am I being dense here?

no, you're not.

the user session key [the use of which is part of the security problem] is
used as the RC4 key.

that's all there is to it.

it is "assumed" that the RC4 key - the user session key - cannot be
spoofed.

which it utterly STUPID because on ntlm v1 it's just MD4(nt password
hash).

so, in answer to your question, you don't know!!!!!!!

except if you enable [mandate] SMB signing.

which will cause w95 to fail (unless you install the DFS 4.1 client.
hello?  hellooo?  anybody home when that one was decided?), and all
versions of samba as well, because we haven't worked out SMB signing yet.

luke





More information about the samba-ntdom mailing list