K
Kevin Collins
Hi,
We have just started installing Microsoft critical patch MS04-011
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) on our Win2k
servers. We have a CGI script that makes use of LWP and LWP::Authen:Ntlm which
requires Authen::NTLM. This script uses NTLM authentication to check the status
of various critical web servers.
When we apply this patch, the authentication breaks and in the Security Event
Log, we see a failed authentication but the domain shows up as a non-printable
character and the "Logon Type" is listed as "NtLmSsp". Part of the patch was an
update to LSASS (which handles RPC authentication) to perform bounds checking.
Additionally, the patch includes an SSP update (used by IIS, also appears to be
bounds checking). We can uninstall the patch and everything works fine.
My suspicion (based on the origins of Authen::NTLM) is that the code is
reverse-engineered NTLM protocol, which has now had some minor change and is
causing the Perl module to break. The patch has been out 3 or 4 days now.
I've sent basically this same info to Mark Bush (the author of Authen::NTLM),
but have not yet heard anything from him. If anyone else is seeing this or has
any ideas, I would appreciate suggestions.
Thanks in advance for any help you can offer.
Kevin
We have just started installing Microsoft critical patch MS04-011
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) on our Win2k
servers. We have a CGI script that makes use of LWP and LWP::Authen:Ntlm which
requires Authen::NTLM. This script uses NTLM authentication to check the status
of various critical web servers.
When we apply this patch, the authentication breaks and in the Security Event
Log, we see a failed authentication but the domain shows up as a non-printable
character and the "Logon Type" is listed as "NtLmSsp". Part of the patch was an
update to LSASS (which handles RPC authentication) to perform bounds checking.
Additionally, the patch includes an SSP update (used by IIS, also appears to be
bounds checking). We can uninstall the patch and everything works fine.
My suspicion (based on the origins of Authen::NTLM) is that the code is
reverse-engineered NTLM protocol, which has now had some minor change and is
causing the Perl module to break. The patch has been out 3 or 4 days now.
I've sent basically this same info to Mark Bush (the author of Authen::NTLM),
but have not yet heard anything from him. If anyone else is seeing this or has
any ideas, I would appreciate suggestions.
Thanks in advance for any help you can offer.
Kevin