DATE: COMMAND SOURCE: AUTHOR: SMB SYSTEMS AFFECTED Win NT 3.5, 3.51, 4.0 PROBLEM This text is compilation of papers found at Bill Stout's ex NT page and www.ntshop.com/security. SMB sessions can be hijacked. Having the correct frame numbers at the transport level, the correct TID at the redirector level, and the correct UID at the server level allow you to impersonate an administrator or other user. Regedit/regedt32 and other RPCs which use named pipes also use SMB UIDs for authentication and can be taken over via this method. This requires the use of an appliction that combines a combination of Sequence attack and UID/TID spoofing. For verification check: http://www.microsoft.com/kb/articles/q102/7/20.htm (last paragraph) ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt (search page for '8.5.1') EXPLOIT SOLUTION I don't know (yet). Microsoft either (i guess).