One of the two patches released by Microsoft for the month of November addresses a vulnerability first reported in 2001 by Josh Buchbinder, better known as Sir Dystic from the Cult of the Dead Cow (cDc). He found a vulnerability in Microsoft operating systems which enables an attacker to gain complete access to a user's computer. He wrote a utility, SMBRelay (and its NETBIOS-bound brother, SMBRelay2), which demonstrates the flaw. Employing man-in-the-middle tactics, the program receives a connection on port 139, connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. On top of that, SMBRelay collects the NTLM password hashes and saves it to a file readable by L0pthcrack for cracking.
Apparently, it took Microsoft 7 years to finally address this vulnerability as mentioned here. According to this article, exploit code of this flaw is currently available in the internet. In fact, Metasploit has a PoC/working exploit which runs under the 'sploit framework.
The released patch, although given just a criticality rating of "Important" (whereas, MS08-069 was rated "Critical"), appears more interesting given the fact that this fixes a 7-year old flaw.
Going back to the SMBRelay tool, here are some switches and parameters that the tool uses:
Usage: smbrelay [options]
Options:
/D num - Set debug level, current valid levels: 0 (none), 1, 2 (Default is 0)
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER
SMBRelay2, on the other hand, has the following switches and parameters:
SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client
No comments:
Post a Comment