Win2k3 SP1, virtual hosting and NTLMv2 failures

Andrew Bartlett abartlet at samba.org
Fri Sep 23 02:04:03 GMT 2005 

In testing Samba4, I noticed that we were failing the RPC-SAMLOGON test,
with a new error: NT_STATUS_LOGON_FAILURE and NT_STATUS_NOT_FOUND.  We
don't normally see either in a SamLogon reply, instead we expect
NT_STATUS_WRONG_PASSWORD or NT_STATUS_NO_SUCH_USER.

NTLMv2 includes data that could be used to prevent certain MITM (man in
the middle) attacks, such as the target hostname.  In the past, it
appears this data was parsed but not validated, and now it is being
validated.

So, if the SamLogon as presented by the member server to the PDC
contains a target netbios name different to the account name, the login
is rejected with LOGON_FAILURE.  No doubt things are more complex than
this, but it would appear to impact on virtual hosting setups.  The
impact on trusted domains also needs to be carefully examined.

The vunrability closed by Win2k3 SP1 has been one of my pet peeves for
too long, and it's nice to see it starting to be closed.  To create a
secure setup, the client must validate that the 'target information'
returned in an NTLMSSP challenge is the same as the server the user
contacted.  It then includes this same (or different) target information
in the NTLMv2 reply, as part of the hashed data.  The DC can then verify
that this machine account is permitted to use that name.

If either the clients start constructing this target information
themselves, or validating this information, various 'virtual hosting'
setups will break.  Assuming this hasn't just been removed from
Microsoft's own functionality, we will need to find out how to add our
aliases to the list of valid names.  It may be as simple as a
construction on servicePrincipalName.

More immediately, this also impacts NTLMv2 without NTLMSSP, where the
client already constructs this information. 

The NOT_FOUND errors are caused by user at REALM style logins, and I need
to look into this further.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050923/31b96013/attachment.bin

More information about the samba-technical mailing list