NT Versions Affected:

3.5, 3.51, 4.0

---------------------------------------------------------------------------

Problem:

SMB sessions can be hijacked. Having the correct frame numbers at the
transport level, the correct TID at the redirector level, and the correct
UID at the server level allow you to impersonate an administrator or other
user.

Regedit/regedt32 and other RPCs which use named pipes also use SMB UIDs for
authentication and can be taken over via this method.

This requires the use of an appliction that combines a combination of
Sequence attack and UID/TID spoofing.

---------------------------------------------------------------------------

Verification:

http://www.microsoft.com/kb/articles/q102/7/20.htm (last paragraph)

ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt
(search page for '8.5.1')



---------------------------------------------------------------------------
[Known NT Exploits]