Authentication under Windows: A smouldering security problem

Speaking at the USENIX conference, which ended last week, developer Marsh Ray highlighted an old and known flaw that continues to be underestimated in the Windows world: authentication mechanisms involving NTLMv2 are often insecure. Attackers can potentially intercept the credentials transmitted during log-in and misuse them to log into the servers themselves – without knowing the password. The attackers exploit a weakness in NTLMv2, a protocol which is vulnerable to "replay" and "reflection" attacks although it does transmit the data itself in a secure encrypted form.

While an attacker launching a replay attack can gain access to a server, attacks such as SMB reflection only require the operator of a specially crafted SMB server to send the NTLM log-in credentials of a log-in attempt at the operator's server back to the victim. This allows the attacker to gain access to the victim's PC and execute programs there. Successful attacks do require ports 139 and 445 to be accessible on the victim's machine, which will be the case if, for instance, file sharing and printer sharing are enabled on a local network.

Microsoft released patches to fix this special SMB vulnerability at the end of 2008, added another patch in connection with WinHTTP in early 2009 and subsequently also released patches for WinINet and Telnet. However, the vendor needed seven years to solve the problem; an earlier patch would have had extremely negative effects on network applications at the time.

Numerous other scenarios still remain unpatched – especially where non-Microsoft products are concerned. Marsh Ray said that affected products include WebKit and Firefox, which use NTLM for such tasks as proxy authentication and web page log-ins. An attempt by Mozilla to prevent replay attacks in Firefox caused NTLM authentication to malfunction on proxies earlier this year.

While Ray didn't confirm having tested an actual attack scenario, the expert did point out to The H's associates at heise Security that NTLMv2 is used, for instance, when combining Outlook Web Access with an Internet Information Server. Ray said that when users log into their email accounts via a public Wi-Fi network, attackers can potentially use the transmitted credentials to log in themselves. Many VPN and single sign-on solutions apparently also support NTLM authentication.

In a guest editorial at ZDnet, Ray expressed his concerns that only very few people understand the true scope of this problem. In the researcher's opinion, only some vendors' penetration testers and developers – and a few hackers – have fully understood the consequences. Ray said that the only currently available remedies are to switch to other authentication protocols, such as Kerberos, or to enable additional security features such as SMB Signing.

(crve)