DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  SMB


SYSTEMS AFFECTED

  Win NT 3.5, 3.51, 4.0

  

PROBLEM


    This text  is compilation  of papers  found at  Bill Stout's ex NT

    page and www.ntshop.com/security.



    SMB sessions can be hijacked. Having the correct frame numbers  at

    the transport level, the correct TID at the redirector level,  and

    the correct UID  at the server  level allow you  to impersonate an

    administrator or other user.



    Regedit/regedt32 and other RPCs which use named pipes also use SMB

    UIDs for authentication and can be taken over via this method.



    This requires the use of an appliction that combines a combination

    of Sequence attack and UID/TID spoofing.



    For verification check:



        http://www.microsoft.com/kb/articles/q102/7/20.htm

        (last paragraph)



        ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt

        (search page for '8.5.1')





EXPLOIT

  

SOLUTION


    I don't know (yet). Microsoft either (i guess).