Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Standing on Other's Shoulders
Chris Wysopal, 2008-11-28

"If I have seen a little further it is by standing on the shoulders of Giants," Issac Netwon once wrote to describe how he felt that his scientific work was an extension of the work of those who went before him. In the scientific realm it is dishonorable not to credit those upon whose work you build.

Computer security researchers are like scientific researchers in many ways. We build on the research of those who come before us. We sometimes rediscover the same things independently. Other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer’s approach and implement research discovered by others and not credit them as it’s the implementation into a tool that matters to us.

The academic world solved the problems of rediscovery or falsely claiming discovery with a rigorous system of credit through endnotes in academic papers and the juried review of these papers. In a juried review, the reviewers are experts in the specific scientific field. They presumably know what has been previously published since they have read all of the published papers. A paper will be rejected for not being novel or for not crediting the original researchers.

One of the reasons people say computer security research is not true research is because we lack any notion of academic rigor. To some extent, we actually reject academic rigor. Who needs peer review when you can send out a basic explanation of how to trigger a vulnerability, get your props from your peers and potential employers, and — some hope — make the world a little more secure when the vulnerability is patched.

This simplistic view of security research, however, is wasteful and doesn’t advance the field as it should.

The November 2008 Microsoft patch MS08-68 is a great example. It is a problem with NTLM (Windows NT LAN Manager) authentication where the attacker can force a client to authenticate to him and the credentials, while not exposed in cleartext, can be relayed to another server or brute forced to obtain the cleartext. This is a classic crypto protocol vulnerability. It’s not the crypto algorithms that are the problem, but the protocol implementation.

Microsoft recently fixed the problem, perhaps due to the recent availability of exploit code, or perhaps Microsoft’s changed tolerance for vulnerabilities. We can sum it up as a change in the threat space that made it worth fixing. But make no mistake, this is a very old problem.

We can start by going back in time and seeing how knowledge of this vulnerability evolved. The CVE entry for this vulnerability, CVE-2008-4037, references the Backrush exploit published by Haamed Gheibi and Salman Niksefat on April 24, 2003. The authors make no mention that this was a well known vulnerability years before.

News reports for the latest Microsoft patch have been citing Sir Dystic’s SMBrelay tool, which was published in March 2001, as the first discovery of this vulnerability. Eric Shultze who worked at MSRC in 2001, recently said, "I have been holding my breath since 2001 for this patch." Obviously, it is a long time coming.

These were not, however, the first publication of the problem. In 2000, one of my colleagues on the research team at @stake — Christien Rioux, who once used the handle Dildog — published information on the telnet NTLM authentication vulnerability.

Rioux’s advisory has a great description of the credential relay and cracking weaknesses. I have talked to him and he says he discovered these problems independently, but he didn’t find them first. For one thing, the cracking weakness, at least for file sharing, was listed in the L0phtCrack documentation from 1998. (Disclosure: I wrote part of that documentation and I didn’t give anyone credit.) The documentation describes a way to get someone’s Windows credentials was to email them an HTML mail message with an embedded image with the link file://192.x.x.x/file.gif, and then have a server at that IP address running SMB that challenges the client for their password. Rioux extended this technique to the windows telnet NTLM authentication but the SMB version of this clearly should have been mentioned.

Dominique Brezinski published exactly these NTLM vulnerabilities in the SMB protocol in 1996 in a paper titled A Weakness in CIFS Authentication. The earliest reference I can find on the paper on the net is here where it is included in another paper published in 1997. Such is the ad-hoc world of independent security research of a dozen years ago that still continues today.

Ironically, the only reason we know about Brezinski’s paper is an academic researcher gave him credit!

Story continued on Page 2 

Chris Wysopal is co-founder and CTO of Veracode, a provider of on-demand software security testing services. Chris co-authored the password auditing tool L0phtCrack and was a researcher at the security think tank, L0pht Heavy Industries. He has held key roles at @stake and Symantec and is the author of The Art of Software Security Testing: Identifying Security Flaws.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Standing on Other's Shoulders 2008-11-28
Jeffrey D. Pound, Sr.
NTLM is a great case study... 2008-12-02
Kurt Grutzmacher
Standing on Other's Shoulders 2008-12-06
Ant Homynous


Privacy Statement
Copyright 2010, SecurityFocus