Authentication Processing Error in Windows NT 4.0 SP4

A logic error exists in Service Pack 4 for Windows NT 4.0 that could, under certain conditions, allow a user to log on interactively and connect to network shares using a blank password.

Issue

The Windows NT Security Account Manager (SAM) database stores the hashed password for each user account in two forms: an "NT hash" form that is used to authenticate users on Windows NT clients, and an "LM hash" form that is used to authenticate users on Windows 95, Windows 98, and downlevel clients such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When a user changes his password via a Windows NT, Windows 95 or Windows 98 client, both the "NT hash" and "LM hash" forms of the password are updated in the SAM. However, when the user changes his password via a downlevel client, only the "LM hash" form of the password is stored; a null value is stored in the "NT hash" field. This is normal operation.

When a user attempts an interactive logon or a network share connection from a Windows NT system, the Windows NT authentication process uses the "NT hash" form of the password. If the "NT hash" is null, the "LM hash" of the password is used for verification. (Windows 95, Windows 98 and downlevel clients always use only the "LM hash" for verification.) The logic error in Service Pack 4 incorrectly allows a null "NT hash" value to be used for authentication from Windows NT systems. The result is that if a user account's password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can logon into that account from a Windows NT system using a blank password.

By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one of which is accessed by Windows for Workgroups clients, would be affected by this vulnerability.

It is worth reiterating the following points:

• Even on an affected network, a user whose most recent password change was performed via Windows NT, Windows 95 or Windows 98 workstations will have a non-null "NT hash" value, and hence will not be at risk.
• Customers who are affected by the vulnerability need only apply the patch to machines that contain SAM databases with active user accounts.
• There is no need for users to update or change their passwords after applying the patch. Even in vulnerable systems, the SAM database entries are valid; the problem lies in the way SP4 processes them. The patch corrects the authentication process logic in SP4 without changing the SAM database entries in any way.

Affected Products

• Microsoft Windows NT 4.0, Service Pack 4

Solution

Microsoft has posted the following hot fixes to address this problem.

• Fix for x86 version: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixi.exe
• Fix for Alpha version: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixa.exe

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: February 8, 1999

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<