Authentication ....

Jean Francois Micouleau Jean-Francois.Micouleau at dalalu.fr
Wed Jan 24 19:26:16 GMT 2001


On Thu, 25 Jan 2001, Luke Kenneth Casson Leighton wrote:

> On Wed, 24 Jan 2001, Gerald Carter wrote:
> 
> > Luke Kenneth Casson Leighton wrote:
> > > 
> > > e.g. they fixed the SamrSetUserInfo(info level = 0x17 
> > > and 0x18) security bug - they contain user passwords - 
> > > but haven't told anyone how they've done it.  i have 
> > > better hopes that they've got it right, this time, but 
> > > from past experience i remain skeptical.  this time, i 
> > > have some rumour/evidence that they consulted some 
> > > proper security experts in-house about this one.
> > > 
> > > lukes
> > 
> > Given that I've played with the call a good bit lately :)
> > I'm curious what the exact security hole is.  Other than 
> > the fact that I don't see any 2 way verification that 
> > the new password is valid.  i.e. you decrypt the 516 byte
> > password buffer, but how do you know that the password
> > at the end (minus the length) is actually what the client
> > sent.
> 
> > Am I being dense here?
> 
> no, you're not.
> 
> the user session key [the use of which is part of the security problem] is
> used as the RC4 key.
> 
> that's all there is to it.
> 
> it is "assumed" that the RC4 key - the user session key - cannot be
> spoofed.
> 
> which it utterly STUPID because on ntlm v1 it's just MD4(nt password
> hash).

I agree with you Luke, it's a bit light on the security side. But on NT,
in which calls can the RC4 key be spoofed ?

Unless you have also spoofed the machine password, it's pretty hard and
long.

And brute forcing the NT hash doesn't give you anything in that case.

	J.F.






More information about the samba-ntdom mailing list