Understanding the Windows SMB NTLM Weak Nonce vulnerability
In February of this year, Hernan Ochoa and Agustin Azubel discovered a deadly flaw that has been present in most Microsoft Windows systems for at least 14 years. This flaw or vulnerability exploits the SMB (Server Block Code) NTLM (NT Lan Manager) Windows Authentication mechanism giving hackers remote access to system resources. Other exposures include read/write access to remote file shares and remote code execution without use of any credentials. The main causes of the flaw are weaknesses in challenge-response mechanisms and the Pseudo-Random Number Generator (PRNG) being predictable. The live demo showcased how easily an attacker could quickly collect challenges/responses and abuse the predictability of the PRNG to gain access. Microsoft released a security bulletin and followed up with a patch to mitigate the issue.
For more information about this vulnerability and exploits see below:
Windows SMB NTLM Authentication Weak Nonce Vulnerability Security Advisory
SMB NTLM Authentication Lack of Entropy Vulnerability – CVE-2010-0231
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)