Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Wed Jan 24 19:26:16 GMT 2001
On Thu, 25 Jan 2001, Luke Kenneth Casson Leighton wrote:
> On Wed, 24 Jan 2001, Gerald Carter wrote:
> > Luke Kenneth Casson Leighton wrote:
> > >
> > > e.g. they fixed the SamrSetUserInfo(info level = 0x17
> > > and 0x18) security bug - they contain user passwords -
> > > but haven't told anyone how they've done it. i have
> > > better hopes that they've got it right, this time, but
> > > from past experience i remain skeptical. this time, i
> > > have some rumour/evidence that they consulted some
> > > proper security experts in-house about this one.
> > >
> > > lukes
> > Given that I've played with the call a good bit lately :)
> > I'm curious what the exact security hole is. Other than
> > the fact that I don't see any 2 way verification that
> > the new password is valid. i.e. you decrypt the 516 byte
> > password buffer, but how do you know that the password
> > at the end (minus the length) is actually what the client
> > sent.
> > Am I being dense here?
> no, you're not.
> the user session key [the use of which is part of the security problem] is
> used as the RC4 key.
> that's all there is to it.
> it is "assumed" that the RC4 key - the user session key - cannot be
> which it utterly STUPID because on ntlm v1 it's just MD4(nt password
I agree with you Luke, it's a bit light on the security side. But on NT,
in which calls can the RC4 key be spoofed ?
Unless you have also spoofed the machine password, it's pretty hard and
And brute forcing the NT hash doesn't give you anything in that case.
More information about the samba-ntdom