SecuriTeam - Domain Password Logon Authentication Bug in Windows 2000 Advanced Server Domain Controller

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

A security vulnerability in a mixed environment of Windows 2000, NT, and 9x causes the password's strength to decrease exponentially. The decrease occurs because a backward compatibility demands that a more limited set of characters is used (uppercase and lowercase characters are treated in the same way).

Credit:
The information has been provided by Ron Ray.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Scenario:
You have a password in your Windows 2000 domain that you set up that consists of 12 characters that alternate between capitals and lowercase. You log on using your Windows 2000 professional workstation and the password must be typed exactly. One day you use a Windows 98 client in another department and type your password with the caps lock key down. It then logs you onto the network. You expected your password of alternating upper and lower case to be required.

Overview:
When a user accounts password is set on Windows 2000 Advanced Server (which is also your domain controller running active directory), and a case sensitive password such as "HeLLo" is used, only a Windows 2000 client must type the password exactly the same (on a default installation with all service packs and patches applied).

The problem is that most people think that the password has to be entered exactly that way since NT and 2000 passwords are case sensitive. If a Windows 9x computer is used to log onto the domain using a password of "HELLO" OR "hello" either will be validated by the domain controller. Hence, the user is tricked into believing the password is more secure than it is.

When a 15 character password or longer is used, the Windows 9x client cannot log on but a Windows 2000 client can. The Windows 9x logon dialog only allows 14 characters to be entered as a maximum. If the password is changed to 14 characters or less, this bug is present.

Workaround:
Require all clients in your Windows 2000 network to use NTLM2 Authentication. A detailed example is in knowledge base article #Q239869 located at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869

Solution:
The next step should be to make sure that clients do not even attempt to trasmit LM type passwords. The knowledge base article #Q147706, located at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706 details this on Windows NT.

	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability
	Internet Explorer Multiple Remote Code Execution Vulnerabilities
	Windows Media Player ASF File Remote Code Execution