Authen::NTLM and MS04-011

Discussion in 'Perl Misc' started by Kevin Collins, Apr 23, 2004.

  1. Hi,

    We have just started installing Microsoft critical patch MS04-011
    (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) on our Win2k
    servers. We have a CGI script that makes use of LWP and LWP::Authen:Ntlm which
    requires Authen::NTLM. This script uses NTLM authentication to check the status
    of various critical web servers.

    When we apply this patch, the authentication breaks and in the Security Event
    Log, we see a failed authentication but the domain shows up as a non-printable
    character and the "Logon Type" is listed as "NtLmSsp". Part of the patch was an
    update to LSASS (which handles RPC authentication) to perform bounds checking.
    Additionally, the patch includes an SSP update (used by IIS, also appears to be
    bounds checking). We can uninstall the patch and everything works fine.

    My suspicion (based on the origins of Authen::NTLM) is that the code is
    reverse-engineered NTLM protocol, which has now had some minor change and is
    causing the Perl module to break. The patch has been out 3 or 4 days now.

    I've sent basically this same info to Mark Bush (the author of Authen::NTLM),
    but have not yet heard anything from him. If anyone else is seeing this or has
    any ideas, I would appreciate suggestions.

    Thanks in advance for any help you can offer.

    Kevin
     
    Kevin Collins, Apr 23, 2004
    #1
    1. Advertising

  2. Kevin Collins

    Andrew Speer Guest

    Kevin,

    I recently came across this same problem. The challenge format looks
    to have changed, and as a result Authen::NTLM seems to sends a
    "broken" NT domain string to the server.

    The fix (for me) was to alter the code (v1.02 in my case). In the
    "ntlm" subroutine change the line:

    $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});

    to

    $domain = substr($challenge, $c_info->{domain}{offset},
    $c_info->{domain}{len});

    which fixed the problem for me. I hope it is also backwards compatible
    with pre MS04-11 patched server, but have been unable to test.

    I have sent a private email to Mark with similar information, so
    hopefully the module will be updated sometime.

    Thank <deity> for Ethereal - without it this would have been nigh
    impossible to debug.

    Andrew
     
    Andrew Speer, May 4, 2004
    #2
    1. Advertising

  3. In article <>, Andrew Speer wrote:
    > Kevin,
    >
    > I recently came across this same problem. The challenge format looks to have
    > changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
    > string to the server.
    >
    > The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
    > subroutine change the line:
    >
    > $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});
    >
    > to
    >
    > $domain = substr($challenge, $c_info->{domain}{offset},
    > $c_info->{domain}{len});
    >
    > which fixed the problem for me. I hope it is also backwards compatible with
    > pre MS04-11 patched server, but have been unable to test.
    >
    > I have sent a private email to Mark with similar information, so hopefully
    > the module will be updated sometime.
    >
    > Thank <deity> for Ethereal - without it this would have been nigh impossible
    > to debug.
    >
    > Andrew


    Andrew,

    thanks a bunch! We actually got hit hard with the Sasser.D virus yesterday
    because we couldn't install the patch. I found out just minutes ago that
    Microsoft (via our escalated Premiere Support call) had found a solution by
    searching Google - quite possibly they found your response!

    Thanks for the info - it appears that the fix they suggested is working. I'm
    off to confirm that it is the same as what yours is. I'll post back with my
    findings.

    Thanks,

    Kevin
     
    Kevin Collins, May 4, 2004
    #3
  4. In article <>, Andrew Speer wrote:
    > Kevin,
    >
    > I recently came across this same problem. The challenge format looks to have
    > changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
    > string to the server.
    >
    > The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
    > subroutine change the line:
    >
    > $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});
    >
    > to
    >
    > $domain = substr($challenge, $c_info->{domain}{offset},
    > $c_info->{domain}{len});
    >
    > which fixed the problem for me. I hope it is also backwards compatible with
    > pre MS04-11 patched server, but have been unable to test.
    >
    > I have sent a private email to Mark with similar information, so hopefully
    > the module will be updated sometime.
    >
    > Thank <deity> for Ethereal - without it this would have been nigh impossible
    > to debug.
    >
    > Andrew


    Andrew,

    per my previous followup, it turns out that they (MS) did in fact find your
    response to my post! Amazing that I posted a couple weeks ago and had no
    response until today and I had not yet checked for responses :)

    Small world...

    Thanks again,

    Kevin
     
    Kevin Collins, May 4, 2004
    #4
  5. Kevin Collins

    Dave Smith Guest

    (Andrew Speer) wrote in message news:<>...
    > I recently came across this same problem. The challenge format looks
    > to have changed, and as a result Authen::NTLM seems to sends a
    > "broken" NT domain string to the server.

    Your fix also addresses another issue: the 1.02 code would fail if you
    attempted to login across domains via a trust (e.g. the user was in
    domain A and the server was in domain B). The debug output of LWP and
    the security log look similar to the MS04-011 problem.

    > I hope it is also backwards compatible with pre MS04-11 patched server, but
    > have been unable to test.

    I've checked it here with Win2K/IIS both pre and post MS04-011 and it
    now works with the above fix.

    Thanks Andrew!
     
    Dave Smith, May 4, 2004
    #5
  6. Kevin Collins

    Steve Guest

    Hi Kevin,

    I am one of those from Microsoft who was involved with Leroy\Kevin on
    this. I am very interested in anyone else who had the same issues with
    using LWP::Authen::Ntlm after application of MS04-011.

    I have tried to reproduce this and am not able to in-house. This is
    necessary to debug NTLM and determine what exactly went wrong here. If
    anyone would like to provide exact repro steps or better yet a VM in
    VMware or MS Virtual PC format, I would love to work with you.

    Obviously, the change in the module from Andrew was instrumental in
    gettting up and running, thank you very much Andrew. I do not know
    enough about Perl to determine exactly what was changed - (if someone
    wanted to "dumb it down" to me - let me know and I can provide contact
    information) this may help me determine where I need to begin looking.

    As far as the post below- I am not as concerned about it as this also
    failed Pre MS04-011.

    > Your fix also addresses another issue: the 1.02 code would fail if you
    > attempted to login across domains via a trust (e.g. the user was in
    > domain A and the server was in domain B). The debug output of LWP and
    > the security log look similar to the MS04-011 problem.



    thanks!

    Steve
     
    Steve, May 6, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Reto Zingg
    Replies:
    0
    Views:
    1,219
    Reto Zingg
    Sep 28, 2003
  2. Lakis Athanasiou

    MS04-007

    Lakis Athanasiou, Apr 16, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    572
    Lakis Athanasiou
    Apr 16, 2004
  3. Matthijs
    Replies:
    0
    Views:
    851
    Matthijs
    Dec 10, 2008
  4. 泳梨 余

    Patek Philippe Twenty-4 4910-11r-011

    泳梨 余, Aug 24, 2009, in forum: C Programming
    Replies:
    0
    Views:
    564
    泳梨 余
    Aug 24, 2009
  5. Ron T.

    LWP:Authen:NTLM

    Ron T., Feb 27, 2007, in forum: Perl Misc
    Replies:
    4
    Views:
    500
    Ayaz Ahmed Khan
    Mar 1, 2007
Loading...

Share This Page