|
AppleShare NT
security Bug
(notice)
Author: MS99-004
|
info, views, download, rating, security, insecure
Information:
This concerns Macs connected to NT servers using Service Pack 4. If a Mac
changes its password when connected to NT SP4, from that point on, PCs can
log into that user account with NO password (a null password.) -
contributed by John Wolf
Views:
This can be a serious bug. Its not well known, and when an Appleshare
Client is added, not many people think to check for security issues because,
well, it's APPLESHARE! This causes a problem on the network.
Reasonings and Technical How-SO
snip-it from ms99-004
advisory Issue
The Windows NT Security Account Manager (SAM) database stores the hashed
password for each user account in two forms: an "NT hash" form that is used
to authenticate users on Windows NT clients, and an "LM hash" form that is
used to authenticate users on Windows 95, Windows 98, and downlevel clients
such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When
a user changes his password via a Windows NT, Windows 95 or Windows 98
client, both the "NT hash" and "LM hash" forms of the password are updated
in the SAM. However, when the user changes his password via a downlevel
client, only the "LM hash" form of the password is stored; a null value is
stored in the "NT hash" field. This is normal operation.
When a user attempts an interactive logon or a network share connection
from a Windows NT system, the Windows NT authentication process uses the
"NT hash" form of the password. If the "NT hash" is null, the "LM hash" of
the password is used for verification. (Windows 95, Windows 98 and
downlevel clients always use only the "LM hash" for verification.) The
logic error in Service Pack 4 incorrectly allows a null "NT hash" value to
be used for authentication from Windows NT systems. The result is that if a
user account's password was last changed from a DOS, Windows 3.1, Windows
for Workgroups, OS/2 or Macintosh client, a user can logon into that
account from a Windows NT system using a blank password.
By far the most likely machines to be affected by this vulnerability would
be domain controllers running Windows NT 4.0 SP 4, in networks that contain
any of the downlevel clients listed above. However, any server or
workstation running Windows NT 4.0 SP 4 that contains a SAM database with
active users who communicate from downlevel clients would be vulnerable to
this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one
of which is accessed by Windows for Workgroups clients, would be affected
by this vulnerability.
Get all the Details in the Microsoft
Security Bulletin
Security Issue Rating:
|
