Title: Microsoft Windows NT 4.0 Machine Account Creation Vulnerability
Severity: MODERATE
Description:
When a NT administrator adds a computer account to a domain, the machine name is transmitted in plaintext along with the encrypted password. The default password for new machines added remotely is the machine name itself. With this information, one can obtain the User Session Key which can then be used to decrypt data sent by the administrator using either USRMGR.EXE or SRVMGR.EXE, including any passwords changed by the administrator.
With LanManager Version 1, the User Session Key is based on the NT hash of the password. Therefore, a compromised User Session Key will be valid until the administrative user changes their password.
In NT LanManager Version 2, the User Session Key is based on random data and is recreated with every connection. Therefore, the User Session Key is only valid against data sent during the same session.
Affected Products:
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
