ntlmssp errors against El Capitan's SMB Server

Jeremy Allison jra at samba.org
Wed Aug 31 02:31:22 UTC 2016


On Tue, Aug 30, 2016 at 10:19:11PM -0400, Simo wrote:
> > note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.
> > 
> > And it looks like the Windows client doesn't check the
> > mechlistMIC in this case, so we might need to losen our
> > check also.
> > 
> > This would also fix the smbclient connecting to the Microsoft
> > Azure server problem - that server also only does NTLM and
> > doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.
> > 
> > Attached is a possible patch, but I'm *really* unsure
> > if this is safe w.r.t. downgrade attacks.
> > 
> > Metze, can you take a look at this and let me know what you
> > think ?
> 
> I've been thinking about when a downgrade attack is possible and the
> only scenario that comes to mind is when the server just ignores the
> client MIC. And in that case the server will never detect nor generate
> a mechlistMIC anyway.
> If the server checks the client sent mechlistMIC, then the server will
> detect a downgrade attack and just drop the session establishment.

Yep, I've also been thinking more about this and I think
the patch is safe. Once the client has the "accept-complete"
reply, then a missing server-sent mechlistMIC can't
affect anything. Check it is it's there, but it's not
providing any extra security I think.



More information about the samba-technical mailing list