BadLock vulnerability of technology to track and risk protection-vulnerability warning-the black bar safety net

ID MYHACK58:62201673661
Type myhack58
Reporter 佚名
Modified 2016-04-16T00:00:00


Nsfocus continued focus on domestic security trends, as early as 3 months when first released BadLock threat warning notices. 4 on 1 on 2, Microsoft patch day schedule. At this time Microsoft released the patch, contains a BadLock vulnerability that can be on a windows System and the Samba service are full versions of the pass to kill, the degree of harm should not be underestimated. For this, nsfocus for BadLock vulnerability of the technology to track analyze and provide appropriate protective recommendations.

BadLock vulnerability timeline tracking

! BadLock timeline tracking

BadLock timeline tracking

BadLock vulnerability the basic concepts

What is a BadLock for?

International Samba Core Team Member Stefan Metzmacher found Microsoft Windows platforms and the Samba service software in the presence of a serious level of securityvulnerability, named for the BadLock it.

What is Samba?

Samba is an implementation of the SMB(Server Message Block, service information, block/CIFS(Common Internet File System, common Internet File System)Network File Sharing Protocol of free and open source software that can run on most of theoperating system, including Windows, Unix, IBM System and the OpenVMS, etc. Samba allows non-Windows platforms use the same networking Protocol with Windows products for communication, network resource sharing.

BadLock vulnerability hazard

Impact platform

  • Microsoft Windows not the application MS16-0 4 7 patches
  • Samba 3.6. x
  • Samba 4.0. x
  • Samba 4.1. x
  • Samba 4.2.0-4.2.9
  • Samba 4.2.0-4.3.6
  • Samba 4.4.0

Impact level

! BadLock impact level

BadLock impact level

BadLock vulnerability of technology to track

Vulnerability details

For BadLock, you can refer to the following:

  • Samba – CVE-2 0 1 6-2 1 1 8 (SAMR and LSA-middle attack)
  • Microsoft – CVE-2 0 1 6-0 1 2 8 / MS16-0 4 7 Windows SAM and LSAD downgradevulnerability of

With BadLock associated with the CVE list is as follows:

! CVE list

The CVE list

Technical analysis

BadLock is mainly refers to the SAM Security Account Manager and the LSAD(Local Security Authority Domain Policy Protocol in the presence of the man in the middle attacksvulnerability.

SAM and LSAD are based on General DCE/RPC user-level Protocol, is used for all windows systems and Samba server. Under windows SAM and LSAD Protocol provides a local account storage management, remote user authentication and other functions. For example, when the administrator remote login to the windows machine will use to SAM and LSAD to.

BadLock noted that the securityvulnerabilitycan lead to an attacker illegal access to the remote machine authentication. When a client initiates the remote machine connection and obtain an authenticated connection, regardless of the user choose what kind of application Protocol, authentication type, such as Kerberos or NTLMSSP and the authentication level of NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY, the attacker can intercept the flow of the case-middle attack, will it downgrade to no encryption the CONNECT authentication level, thereby replacing the legitimate user's connection. If the network administrator remote access to the domain control server when the traffic is intercepted, the attacker can obtain the domain controller server on the SAM data read and write permission, thus stealing the domain controller server on the user's password hash and other sensitive information.

[1] [2] next