Via Metasploit Blog -
Today, Microsoft released bulletin MS08-068, which addresses a well-known flaw in the SMB authentication protocol. This attack was first publicly documented by Sir Dystic during @tlantacon in 2001 and implemented in Metasploit 3 in July of 2007. The attack abuses a design flaw in how SMB/NTLM authentication is implemented and works as follows.
[...]
The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim. The patch works by checking the received challenge key against a list of active keys that its own SMB service has issued. If the challenge key matches the list, the authentication process fails. This form of the attacker is described as "reflection" by the Microsoft SWI team. The Karmetasploit implementation uses this attack by default, providing remote code execution in any environment where Metasploit can influence the network of the victim (WPAD, WiFi, MITM, etc). This attack works great even in very isolated environments, such as an airplane full of Windows users at 30,000 feet. You can find more details on this form of the attack and its resolution on the SWI blog.
The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to. This can be accomplished by setting the SMBHOST parameter in the Metasploit smb_relay module to a third-party server. There are many cases where this is useful, especially in LAN environments where various tools authenticate to all local hosts with a domain administrator account (vulnerability scanners, inventory management, network monitor software, etc). In this situation, the attacker would relay the connection to another local system (domain controller, workstation, etc) and abuse this to obtain remote code execution. The third-party attack can also be used to relay inbound SMB credentials to a remote non-SMB service that accepts NTLM authentication (POP3, IMAP4, SMTP, HTTP via IIS, etc). More information about non-SMB NTLM relaying can be found at the Squirtle web site.
Mandatory SMB signing can prevent this attack, but it also breaks backwards compatibility with older operating systems. The MS08-068 patch is an elegant solution to a particular method of exploiting a design flaw, but it does not correct the flaw itself. This patch should be mandatory for road warriors and anyone who uses an untrusted network (wireless or otherwise), since without knowledge or connectivity to a third-party host, the relayed credentials are not useful. The SMB protocol and NTLM authentication mechanism are quite fun to play with and relaying attacks are just the tip of the icerberg :-)
Update: Bob McMillan found this old advisory, which summarizes the reflection attack.
Update: Credit for the original discovery of the MITM/Relay method should be given to Dominique Brezinski, who published a paper on this topic in 1996 and spoke at Black Hat 1997.
No comments:
Post a Comment