Sunday, February 6, 2011

Mulling Through the Windows NTLM Weak Nonce Vulnerability

As of late there have been relatively few Windows 7 exploits, the only major ones were a DoS attack using SMB, and a UAC code-injection bypass attack. However, a new exploit surfaced about a month ago detailing an exploit capable of bypassing SMB user credentials by using repeated challenges. The whole thing (documented here) works similarly to the infamous SMB credential reflection attack. It involves repeatedly spamming a computer with SMB Negotiate Protocol Requests and logging the challenges that result. Then the computer is forced to connect to a JavaScript page that repeatedly connects back to the attacker. The attacker listens for similar challenges and when it receives a challenge that it knows, it replays the challenge. The sad part is that similar to the aforementioned SMB credential reflection attack, the exploit has been around for a pretty long time, 17 years. The exploit was released on the Microsoft site sometime last year and the exploit-PoC was posted about a month ago.

No comments:

Post a Comment