From: "Chris Lewicki" <clewi...@igs.com>
Subject: New NT Flaw
Date: 1997/04/01
Message-ID: <01bc3ef3$49fbb920$7782a6cd@lewicki>#1/1
X-Deja-AN: 230002978
Organization: IGS
Newsgroups: comp.os.ms-windows.nt.admin.security
Has anyone heard about this or no where this tool is being distributed?
*** Major security hole in Windows NT operating system
A major security flaw has been uncovered in Microsoft Corp.'s flagship
network operating system, Windows NT, that could enable a user dialing
in from a remote location to unscramble encrypted information --
including a corporate network's entire registry of user passwords --
and display it as plain text, according to a report posted on EE Times
Online (http://www.eet.com). The discovery is especially troublesome
for the Redmond, Wash. software giant because it has tried to position
NT as more secure network server than alternatives such as Unix. For
the full text story, see
http://www.merc.com/stories/cgi/story.cgi?id=2194562-f73
--
================================================================
Christopher A. Lewicki
Information + Graphics Systems
4990 Pearl East Circle
Boulder, CO 80301
clewi...@igs.com
Phone: (303) 449-1110 x2153
Fax: (303) 449-1298
================================================================
From: dlebl...@mindspring.com (David LeBlanc)
Subject: Re: New NT Flaw
Date: 1997/04/02
Message-ID: <33496339.1459310477@news.mindspring.com>#1/1
X-Deja-AN: 230130018
References: <01bc3ef3$49fbb920$7782a6cd@lewicki>
X-Server-Date: 2 Apr 1997 13:52:54 GMT
Organization: MindSpring Enterprises
Newsgroups: comp.os.ms-windows.nt.admin.security
"Chris Lewicki" <clewi...@igs.com> wrote:
>Has anyone heard about this or no where this tool is being distributed?
>*** Major security hole in Windows NT operating system
Not really, but...
>A major security flaw has been uncovered in Microsoft Corp.'s flagship
>network operating system, Windows NT, that could enable a user dialing
>in from a remote location to unscramble encrypted information --
>including a corporate network's entire registry of user passwords --
>and display it as plain text, according to a report posted on EE Times
>Online (http://www.eet.com). The discovery is especially troublesome
>for the Redmond, Wash. software giant because it has tried to position
>NT as more secure network server than alternatives such as Unix. For
>the full text story, see
>http://www.merc.com/stories/cgi/story.cgi?id=2194562-f73
The deal with this is that Jeremy Allison has determined how to get
the hashes of the passwords out of the registry. This means that I
can dump all the users and their hashed passwords to a text file if
and only if I have administrator priviledge on that machine (which is
why it isn't really as bad as the press makes it sound). Once I've
dumped the hashes, I can then run a dictionary attack on them.
Where the hole really comes in is that those hashes can be used to
authenticate across the network from a machine running samba. So if
you use the tool as intended, you can now have your entire NT network
breached if anyone gains root on the samba machine.
If you're concerned about weak passwords, install passflt.dll from SP2
- there is also source to write your own on MS's site.
David LeBlanc |Why would you want to have your desktop user,
dlebl...@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy
From: address-with...@bogus.com (Larry Kahn)
Subject: Re: New NT Flaw
Date: 1997/04/03
Message-ID: <437cd$d2f.cb@p6dnf>#1/1
X-Deja-AN: 230463841
References: <01bc3ef3$49fbb920$7782a6cd@lewicki>
Newsgroups: comp.os.ms-windows.nt.admin.security
In article <01bc3ef3$49fbb920$7782a6cd@lewicki>, clewi...@igs.com says...
>
>Has anyone heard about this or no where this tool is being distributed?
>
>
>*** Major security hole in Windows NT operating system
>
>A major security flaw has been uncovered in Microsoft Corp.'s flagship
>network operating system, Windows NT, that could enable a user dialing
>in from a remote location to unscramble encrypted information --
>including a corporate network's entire registry of user passwords --
>and display it as plain text, according to a report posted on EE Times
>Online (http://www.eet.com). The discovery is especially troublesome
>for the Redmond, Wash. software giant because it has tried to position
>NT as more secure network server than alternatives such as Unix. For
>the full text story, see
>http://www.merc.com/stories/cgi/story.cgi?id=2194562-f73
>
this is a bunch of bullshit ... there is no security flaw.. there is
a program that will generate a .txt version of the usernames and encrypted
passwords .. and another that attempts to un-encrypt them using a dictionairy
approach... you first need administrator privilge just to dump the passwords
...
unix has a readeable passwords file anyway.. since all users need to be
able to read the password file to log in...
there is NO security hole....
From: dlebl...@mindspring.com (David LeBlanc)
Subject: Re: New NT Flaw
Date: 1997/04/04
Message-ID: <334667d7.1591564849@news.mindspring.com>#1/1
X-Deja-AN: 230550518
References: <01bc3ef3$49fbb920$7782a6cd@lewicki> <437cd$d2f.cb@p6dnf>
X-Server-Date: 4 Apr 1997 02:33:00 GMT
Organization: MindSpring Enterprises
Newsgroups: comp.os.ms-windows.nt.admin.security
address-with...@bogus.com (Larry Kahn) wrote:
>In article <01bc3ef3$49fbb920$7782a6cd@lewicki>, clewi...@igs.com says...
>>*** Major security hole in Windows NT operating system
>this is a bunch of bullshit ... there is no security flaw.. there is
>a program that will generate a .txt version of the usernames and encrypted
>passwords .. and another that attempts to un-encrypt them using a dictionairy
>approach... you first need administrator privilge just to dump the passwords
It is a bunch of bullshit. However, there is a hole - the hashes can
be used across the network to access shares and other resources. If
the file with the hashes is stolen, your whole domain is compromised.
IMHO, they should strongly encrypt the hashes instead of weakly
obfuscating them.
They should also grab a lock on that section of the registry and not
allow access to it.
David LeBlanc |Why would you want to have your desktop user,
dlebl...@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy
From: Jeremy Allison <j...@cygnus.com>
Subject: Re: New NT Flaw
Date: 1997/04/04
Message-ID: <33454394.7C4B@cygnus.com>#1/1
X-Deja-AN: 230715285
References: <01bc3ef3$49fbb920$7782a6cd@lewicki> <437cd$d2f.cb@p6dnf>
<334667d7.1591564849@news.mindspring.com>
Organization: Cygnus Solutions
Reply-To: j...@cygnus.com
Newsgroups: comp.os.ms-windows.nt.admin.security
David LeBlanc wrote:
>
> IMHO, they should strongly encrypt the hashes instead of weakly
> obfuscating them.
>
> David LeBlanc |Why would you want to have your desktop user,
> dlebl...@mindspring.com |your mere mortals, messing around with a 32-bit
> |minicomputer-class computing environment?
> |Scott McNealy
I disagree. Being able to access the hashes has immense use
for Samba administrators (who are the people I wrote pwdump
for). There is *no* difference between 'strongly encrypt' and
'weakly obfuscating' the hashes. Both are reversible given
the knowledge of the algorithm. How many times do people
have to say
'*******SECURITY THROUGH OBSCURITY DOESN'T WORK**************'
(Sorry for shouting but this really bugs me :-).
The mistake was to keep around a weak hashing algorithm
(the old Lanman one) and not to use salt in the strong
one (MD4). As Bill Gates once said (and I *love* this
quote) 'NT *is* UNIX'. That's really true - in almost
all ways, especially the security aspect.
IMHO Microsoft are doing exactly the right thing - moving to
Kerberos. The UNIX vendors should have been there already.
It's disgraceful that they had to wait for Microsoft to
push them to add real security to their systems. Sometimes
I think they deserve all they get.
Regards,
Jeremy Allison,
j...@cygnus.com
"Help me Linus Torvalds, you're our only hope" :-)
From: dlebl...@mindspring.com (David LeBlanc)
Subject: Re: New NT Flaw
Date: 1997/04/05
Message-ID: <3345caae.1682403668@news.mindspring.com>#1/1
X-Deja-AN: 230825331
References: <01bc3ef3$49fbb920$7782a6cd@lewicki> <437cd$d2f.cb@p6dnf>
<334667d7.1591564849@news.mindspring.com> <33454394.7C4B@cygnus.com>
X-Server-Date: 5 Apr 1997 04:08:03 GMT
Organization: MindSpring Enterprises
Newsgroups: comp.os.ms-windows.nt.admin.security
Jeremy Allison <j...@cygnus.com> wrote:
>David LeBlanc wrote:
>> IMHO, they should strongly encrypt the hashes instead of weakly
>> obfuscating them.
>I disagree. Being able to access the hashes has immense use
>for Samba administrators (who are the people I wrote pwdump
>for).
_Why_ can't samba create the hashes from passwords on the command
line? The thing I don't like about your tool is that if the file is
stolen, any user can log in - my whole domain is breached if one Linux
box running samba gets broken. Running that app would reduce the
security of my company's network to zippo - or at least it would be
programmers with full access to everything.
>There is *no* difference between 'strongly encrypt' and
>'weakly obfuscating' the hashes. Both are reversible given
>the knowledge of the algorithm. How many times do people
>have to say
>
>'*******SECURITY THROUGH OBSCURITY DOESN'T WORK**************'
>
>(Sorry for shouting but this really bugs me :-).
Well, it doesn't hurt, now does it? Took you a while to figure this
one out, and you're smarter than the average bear. If it were me
fixing it, I'd create a key for each machine at install time, use it
to encrypt the hashes, and then I'd set a lock on those registry keys
such that nothing but system can touch them - better yet, winlogon.exe
would _own_ them - you wouldn't even be able to get at it with
scheduler or a web server that was compromised. IMHO, you damn well
ought to have to go through the system to get to these.
>The mistake was to keep around a weak hashing algorithm
>(the old Lanman one) and not to use salt in the strong
>one (MD4).
This is true.
>As Bill Gates once said (and I *love* this
>quote) 'NT *is* UNIX'. That's really true - in almost
>all ways, especially the security aspect.
Where did he say that? Besides which, he may own the company, but he
says a lot of silly things. I beleive sometimes he just says things
for effect. I see similarities and differences - we all seem to come
up with the same silly bugs - same sort of stuff in web servers.
OTOH, sendmail and exchange don't seem to have anything in common
except SMTP.
>IMHO Microsoft are doing exactly the right thing - moving to
>Kerberos. The UNIX vendors should have been there already.
>It's disgraceful that they had to wait for Microsoft to
>push them to add real security to their systems. Sometimes
>I think they deserve all they get.
Sure they do - they should have taken this seriously. Always take
your competition seriously.
>"Help me Linus Torvalds, you're our only hope" :-)
Grin.
David LeBlanc |Why would you want to have your desktop user,
dlebl...@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy