StaticUsers.net – AppleShare + NT Security Issues

Information:

This concerns Macs connected to NT servers using Service Pack 4. If a Mac changes its password when connected to NT SP4, from that point on, PCs can log into that user account with NO password (a null password.) – contributed by John Wolf

Views:

This can be a serious bug. Its not well known, and when an Appleshare Client is added, not many people think to check for security issues because, well, it’s APPLESHARE! This causes a problem on the network.

Reasonings and Technical How-SO

snip-it from ms99-004 advisory Issue

The Windows NT Security Account Manager (SAM) database stores the hashed password for each user account in two forms: an “NT hash” form that is used to authenticate users on Windows NT clients, and an “LM hash” form that is used to authenticate users on Windows 95, Windows 98, and downlevel clients such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When a user changes his password via a Windows NT, Windows 95 or Windows 98 client, both the “NT hash” and “LM hash” forms of the password are updated in the SAM. However, when the user changes his password via a downlevel client, only the “LM hash” form of the password is stored; a null value is stored in the “NT hash” field. This is normal operation.

When a user attempts an interactive logon or a network share connection from a Windows NT system, the Windows NT authentication process uses the “NT hash” form of the password. If the “NT hash” is null, the “LM hash” of the password is used for verification. (Windows 95, Windows 98 and downlevel clients always use only the “LM hash” for verification.) The logic error in Service Pack 4 incorrectly allows a null “NT hash” value to be used for authentication from Windows NT systems. The result is that if a user account’s password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can log on into that account from a Windows NT system using a blank password.

By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one of which is accessed by Windows for Workgroups clients, would be affected by this vulnerability.

Get all the Details in the Microsoft Security Bulletin.