COMMAND

    SMB hijacking

SYSTEMS AFFECTED

    Win NT 3.5, 3.51, 4.0

PROBLEM

    This text  is compilation  of papers  found at  Bill Stout's ex NT
    page and www.ntshop.com/security.

    SMB sessions can be hijacked. Having the correct frame numbers  at
    the transport level, the correct TID at the redirector level,  and
    the correct UID  at the server  level allow you  to impersonate an
    administrator or other user.

    Regedit/regedt32 and other RPCs which use named pipes also use SMB
    UIDs for authentication and can be taken over via this method.

    This requires the use of an appliction that combines a combination
    of Sequence attack and UID/TID spoofing.

    For verification check:

        http://www.microsoft.com/kb/articles/q102/7/20.htm
        (last paragraph)

        ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt
        (search page for '8.5.1')

SOLUTION

    I don't know (yet). Microsoft either (i guess).