VERSIONS AFFECTED
Internet Explorer 2.x/3.x running on Windows NT 3.51 / 4.0
DESCRIPTION
A new problem discovered in MS Internet Explorer shows that NT transparently negotiates an authentication attempt with a remote Web server any time that remote server requests an NTLM authentication process. During that process, Internet Explorer will transmit your user name, password, NT domain or workgroup name, and hostname.
Take note here that during this negotiation process, two versions of the user password are transmitted. One is the full length password and the other represents the first 14 characters of the password, transformed in to upper case letters. This fact alone is a GREAT argument for longer passwords - longer that 14 chars that is.
IE clients cannot detect whether or not this negotiation process is taking place, which makes it incredibly difficult to anticipate. Furthermore, IE can't determine what server it's talking to -- that is to say, it doesn't know if the server is a valid system to negotiation with -- which means it could be a rogue system. A server could preplan an attack by precomputing a giant database of potential passwords, which can be used for comparison.
This is NOT an SMB issue, this is an NTLM issue.
EXAMPLE
The example is on the page where this was first announced. Please click here to jump to the original page.
SOLUTION
You can protect yourself right now
by stopping the NTLM SSP service, and disabling it. You may do this using Control Panel | Services, but keep in mind this may adversely affect the operation of the NT system - we take no responsibility.
Microsoft knows about this problem, and is looking in to it as of March 14, 1997. Watch
Credits
- Discovered by Paul
Ashton, with some suggestions by Craig H. Rowland
- Originally posted at http://www.efsl.com/security.
Posted on The NT Shop on March 14, 1997 - 11pm
0315 -