Authen::NTLM and MS04-011

[Kevin Collins]

Hi,

We have just started installing Microsoft critical patch MS04-011
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) on our Win2k
servers. We have a CGI script that makes use of LWP and LWP::Authen:Ntlm which
requires Authen::NTLM. This script uses NTLM authentication to check the status
of various critical web servers.

When we apply this patch, the authentication breaks and in the Security Event
Log, we see a failed authentication but the domain shows up as a non-printable
character and the "Logon Type" is listed as "NtLmSsp". Part of the patch was an
update to LSASS (which handles RPC authentication) to perform bounds checking.
Additionally, the patch includes an SSP update (used by IIS, also appears to be
bounds checking). We can uninstall the patch and everything works fine.

My suspicion (based on the origins of Authen::NTLM) is that the code is
reverse-engineered NTLM protocol, which has now had some minor change and is
causing the Perl module to break. The patch has been out 3 or 4 days now.

I've sent basically this same info to Mark Bush (the author of Authen::NTLM),
but have not yet heard anything from him. If anyone else is seeing this or has
any ideas, I would appreciate suggestions.

Thanks in advance for any help you can offer.

Kevin

 

[Andrew Speer]

Kevin,

I recently came across this same problem. The challenge format looks
to have changed, and as a result Authen::NTLM seems to sends a
"broken" NT domain string to the server.

The fix (for me) was to alter the code (v1.02 in my case). In the
"ntlm" subroutine change the line:

$domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});

to

$domain = substr($challenge, $c_info->{domain}{offset},
$c_info->{domain}{len});

which fixed the problem for me. I hope it is also backwards compatible
with pre MS04-11 patched server, but have been unable to test.

I have sent a private email to Mark with similar information, so
hopefully the module will be updated sometime.

Thank <deity> for Ethereal - without it this would have been nigh
impossible to debug.

Andrew

 

[Kevin Collins]

Kevin,

I recently came across this same problem. The challenge format looks to have
changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
string to the server.

The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
subroutine change the line:

$domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});

to

$domain = substr($challenge, $c_info->{domain}{offset},
$c_info->{domain}{len});

which fixed the problem for me. I hope it is also backwards compatible with
pre MS04-11 patched server, but have been unable to test.

I have sent a private email to Mark with similar information, so hopefully
the module will be updated sometime.

Thank <deity> for Ethereal - without it this would have been nigh impossible
to debug.

Andrew

Andrew,

thanks a bunch! We actually got hit hard with the Sasser.D virus yesterday
because we couldn't install the patch. I found out just minutes ago that
Microsoft (via our escalated Premiere Support call) had found a solution by
searching Google - quite possibly they found your response!

Thanks for the info - it appears that the fix they suggested is working. I'm
off to confirm that it is the same as what yours is. I'll post back with my
findings.

Thanks,

Kevin

 

[Kevin Collins]

Kevin,

I recently came across this same problem. The challenge format looks to have
changed, and as a result Authen::NTLM seems to sends a "broken" NT domain
string to the server.

The fix (for me) was to alter the code (v1.02 in my case). In the "ntlm"
subroutine change the line:

$domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len});

to

$domain = substr($challenge, $c_info->{domain}{offset},
$c_info->{domain}{len});

which fixed the problem for me. I hope it is also backwards compatible with
pre MS04-11 patched server, but have been unable to test.

I have sent a private email to Mark with similar information, so hopefully
the module will be updated sometime.

Thank <deity> for Ethereal - without it this would have been nigh impossible
to debug.

Andrew

Andrew,

per my previous followup, it turns out that they (MS) did in fact find your
response to my post! Amazing that I posted a couple weeks ago and had no
response until today and I had not yet checked for responses

Small world...

Thanks again,

Kevin

 

[Dave Smith]

I recently came across this same problem. The challenge format looks
to have changed, and as a result Authen::NTLM seems to sends a
"broken" NT domain string to the server.

Your fix also addresses another issue: the 1.02 code would fail if you
attempted to login across domains via a trust (e.g. the user was in
domain A and the server was in domain B). The debug output of LWP and
the security log look similar to the MS04-011 problem.

I hope it is also backwards compatible with pre MS04-11 patched server, but
have been unable to test.

I've checked it here with Win2K/IIS both pre and post MS04-011 and it
now works with the above fix.

Thanks Andrew!

 

[Steve]

Hi Kevin,

I am one of those from Microsoft who was involved with Leroy\Kevin on
this. I am very interested in anyone else who had the same issues with
using LWP::Authen::Ntlm after application of MS04-011.

I have tried to reproduce this and am not able to in-house. This is
necessary to debug NTLM and determine what exactly went wrong here. If
anyone would like to provide exact repro steps or better yet a VM in
VMware or MS Virtual PC format, I would love to work with you.

Obviously, the change in the module from Andrew was instrumental in
gettting up and running, thank you very much Andrew. I do not know
enough about Perl to determine exactly what was changed - (if someone
wanted to "dumb it down" to me - let me know and I can provide contact
information) this may help me determine where I need to begin looking.

As far as the post below- I am not as concerned about it as this also
failed Pre MS04-011.

Your fix also addresses another issue: the 1.02 code would fail if you
attempted to login across domains via a trust (e.g. the user was in
domain A and the server was in domain B). The debug output of LWP and
the security log look similar to the MS04-011 problem.

thanks!

Steve