Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Authen::NTLM and MS04-011

Reply
Thread Tools

Authen::NTLM and MS04-011

 
 
Kevin Collins
Guest
Posts: n/a
 
      04-23-2004
Hi,

We have just started installing Microsoft critical patch MS04-011
(http://www.microsoft.com/technet/sec.../ms04-011.mspx) on our Win2k
servers. We have a CGI script that makes use of LWP and LWP::Authen:Ntlm which
requires Authen::NTLM. This script uses NTLM authentication to check the status
of various critical web servers.

When we apply this patch, the authentication breaks and in the Security Event
Log, we see a failed authentication but the domain shows up as a non-printable
character and the "Logon Type" is listed as "NtLmSsp". Part of the patch was an
update to LSASS (which handles RPC authentication) to perform bounds checking.
Additionally, the patch includes an SSP update (used by IIS, also appears to be
bounds checking). We can uninstall the patch and everything works fine.

My suspicion (based on the origins of Authen::NTLM) is that the code is
reverse-engineered NTLM protocol, which has now had some minor change and is
causing the Perl module to break. The patch has been out 3 or 4 days now.

I've sent basically this same info to Mark Bush (the author of Authen::NTLM),
but have not yet heard anything from him. If anyone else is seeing this or has
any ideas, I would appreciate suggestions.

Thanks in advance for any help you can offer.

Kevin
 
Reply With Quote
 
 
 
 
Andrew Speer
Guest
Posts: n/a
 
      05-04-2004
Kevin,

I recently came across this same problem. The challenge format looks
to have changed, and as a result Authen::NTLM seems to sends a
"broken" NT domain string to the server.

The fix (for me) was to alter the code (v1.02 in my case). In the
"ntlm" subroutine change the line:

$domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});

to

$domain = substr($challenge, $c_info->{domain}{offset},
$c_info->{domain}{len});

which fixed the problem for me. I hope it is also backwards compatible
with pre MS04-11 patched server, but have been unable to test.

I have sent a private email to Mark with similar information, so
hopefully the module will be updated sometime.

Thank <deity> for Ethereal - without it this would have been nigh
impossible to debug.

Andrew
 
Reply With Quote
 
 
 
 
Kevin Collins
Guest
Posts: n/a
 
      05-04-2004
In article <(E-Mail Removed)>, Andrew Speer wrote:
> Kevin,
>
> I recently came across this same problem. The challenge format looks to have
> changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
> string to the server.
>
> The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
> subroutine change the line:
>
> $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});
>
> to
>
> $domain = substr($challenge, $c_info->{domain}{offset},
> $c_info->{domain}{len});
>
> which fixed the problem for me. I hope it is also backwards compatible with
> pre MS04-11 patched server, but have been unable to test.
>
> I have sent a private email to Mark with similar information, so hopefully
> the module will be updated sometime.
>
> Thank <deity> for Ethereal - without it this would have been nigh impossible
> to debug.
>
> Andrew


Andrew,

thanks a bunch! We actually got hit hard with the Sasser.D virus yesterday
because we couldn't install the patch. I found out just minutes ago that
Microsoft (via our escalated Premiere Support call) had found a solution by
searching Google - quite possibly they found your response!

Thanks for the info - it appears that the fix they suggested is working. I'm
off to confirm that it is the same as what yours is. I'll post back with my
findings.

Thanks,

Kevin


 
Reply With Quote
 
Kevin Collins
Guest
Posts: n/a
 
      05-04-2004
In article <(E-Mail Removed)>, Andrew Speer wrote:
> Kevin,
>
> I recently came across this same problem. The challenge format looks to have
> changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
> string to the server.
>
> The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
> subroutine change the line:
>
> $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});
>
> to
>
> $domain = substr($challenge, $c_info->{domain}{offset},
> $c_info->{domain}{len});
>
> which fixed the problem for me. I hope it is also backwards compatible with
> pre MS04-11 patched server, but have been unable to test.
>
> I have sent a private email to Mark with similar information, so hopefully
> the module will be updated sometime.
>
> Thank <deity> for Ethereal - without it this would have been nigh impossible
> to debug.
>
> Andrew


Andrew,

per my previous followup, it turns out that they (MS) did in fact find your
response to my post! Amazing that I posted a couple weeks ago and had no
response until today and I had not yet checked for responses

Small world...

Thanks again,

Kevin

 
Reply With Quote
 
Dave Smith
Guest
Posts: n/a
 
      05-04-2004
http://www.velocityreviews.com/forums/(E-Mail Removed) (Andrew Speer) wrote in message news:<(E-Mail Removed) m>...
> I recently came across this same problem. The challenge format looks
> to have changed, and as a result Authen::NTLM seems to sends a
> "broken" NT domain string to the server.

Your fix also addresses another issue: the 1.02 code would fail if you
attempted to login across domains via a trust (e.g. the user was in
domain A and the server was in domain B). The debug output of LWP and
the security log look similar to the MS04-011 problem.

> I hope it is also backwards compatible with pre MS04-11 patched server, but
> have been unable to test.

I've checked it here with Win2K/IIS both pre and post MS04-011 and it
now works with the above fix.

Thanks Andrew!
 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      05-06-2004
Hi Kevin,

I am one of those from Microsoft who was involved with Leroy\Kevin on
this. I am very interested in anyone else who had the same issues with
using LWP::Authen::Ntlm after application of MS04-011.

I have tried to reproduce this and am not able to in-house. This is
necessary to debug NTLM and determine what exactly went wrong here. If
anyone would like to provide exact repro steps or better yet a VM in
VMware or MS Virtual PC format, I would love to work with you.

Obviously, the change in the module from Andrew was instrumental in
gettting up and running, thank you very much Andrew. I do not know
enough about Perl to determine exactly what was changed - (if someone
wanted to "dumb it down" to me - let me know and I can provide contact
information) this may help me determine where I need to begin looking.

As far as the post below- I am not as concerned about it as this also
failed Pre MS04-011.

> Your fix also addresses another issue: the 1.02 code would fail if you
> attempted to login across domains via a trust (e.g. the user was in
> domain A and the server was in domain B). The debug output of LWP and
> the security log look similar to the MS04-011 problem.



thanks!

Steve
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
if and and vs if and,and titi VHDL 4 03-11-2007 05:23 AM



Advertisments