|
|
|
|
| |
Credit:
The information has been provided by Hernan Ochoa.
The original article can be found at: http://www.hexale.org/advisories/OCHOA-2010-0209.txt
|
| |
Vulnerable Systems:
* Windows 2000 SP4
* Windows XP SP2 and SP3
* Windows XP Professional x64 Edition SP2
* Windows Server 2003 SP2
* Windows Server 2003 x64 Edition SP2
* Windows Server 2003 SP2 for Itanium-based systems
* Windows Vista
* Windows Vista SP1
* Windows Vista SP2
* Windows Vista x64 Edition
* Windows Vista x64 Edition SP1
* Windows Vista x64 Edition SP2
* Windows Server 2008 x32
* Windows Server 2008 x32 SP2
* Windows Server 2008 x64 SP2
* Windows Server 2008 x64 SP2
* Windows Server 2008 for Itanium-based systems
* Windows Server 2008 for Itanium-based systems SP2
* Windows 7 x32
Given that Windows NT 4 was relased in ~1996 this vulnerability has been present for ~14 years. If it is confirmed this vulnerablity is also present in older systems such as Windows NT 3.1, released in ~1993, Windows NTLMv1 authentication mechanism could have been vulnerable for ~17+ years.
Depending on the privileges of the authorized user, and the configuration of the remote system, an attacker can gain read/write access to the remote file system and execute arbitrary code by using DCE/RPC over SMB.
Flaws in Microsoft's implementation of the NTLM challenge-response authentication protocol causing the server to generate duplicate challenges/nonces and an information leak allow an unauthenticated remote attacker without any kind of credentials to access the SMB service of the target system under the credentials of an authorized user. Depending on the privileges of the user, the attacker will be able to obtain and modify files on the target system and execute arbitrary code.
Patch Availability:
Microsoft has issued an update to correct this vulnerability. More details can be found at the following Url:
http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx
CVE Information:
CVE-2010-0231
Disclosure Timeline:
2010-02-09: Coordinated release
|
|
|
|
|
