NT Subject to User Session Key Resuse

 
NT Subject to User Session Key Resuse
Reported June 5 by
Luke Kenneth Casson Leighton

VERSIONS EFFECTED
Windows NT 4.0

DESCRIPTION

When an administrator uses USRMGR.EXE or SRVMGR.EXE to remote add users or workstations to a domain, or changes a user"s password, the tool sends an encrypted 516-byte password block over the network. The data block can be intercepted and systematically taken apart to reveal a User Session Key, which can then be used decrypt further communication intercepted between the administrator and the domain controllers. For example, if an administrator changes a user"s password remotely, that password could be decrypted to reveal the clear text version using the captured User Session Key.

VENDOR RESPONSE

Microsoft is aware of this matter, however no response was known at the time of this writing.

CREDITS
Discovered and reported by Luke Kenneth Casson Leighton

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish