CVE-2008-4037
published 2008-11-12CVE-2008-4037: Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote SMB servers to execute…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
59.14%
99.0th percentile
Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote SMB servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, as demonstrated by backrush, aka "SMB Credential Reflection Vulnerability." NOTE: some reliable sources report that this vulnerability exists because of an insufficient fix for CVE-2000-0834.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SMB relay/reflection attacks by monitoring for a host authenticating to itself over SMB (same source and destination IP on ports 445/139 with NTLM challenge-response). MS08-068 patch blocks challenge key reflection back to the issuing host. ↗
- →Alert on new Windows services created with randomly generated 8-character alphanumeric names and display names, especially when the binary path points to %SYSTEMROOT%\<random>.exe — a hallmark of the SMB relay Metasploit module's post-exploitation service installation. ↗
- →Detect NTLM relay by watching for SMB sessions where the connecting client is authenticated as a non-Guest user but the session is being proxied to a third-party SMB host (SMBHOST parameter differs from originating IP). ↗
- →Flag Windows XP systems not joined to a domain where 'Network Access: Sharing and security model for local accounts' is NOT set to Guest-only, as these are exploitable targets for SMB relay gaining administrative access. ↗
- ·The SMB reflection variant of this attack (relaying credentials back to the originating host) is blocked by the MS08-068 patch. However, relaying to a *third-party* SMB host the victim is authorized to access remains possible and is not mitigated by the patch alone. ↗
- ·The Metasploit smb_relay module does not support SMB 2/3; as of Feb 2022 it only works against SMB 1 targets, limiting its applicability to legacy unpatched systems. ↗
- ·The relay module cannot clean up after itself; the uploaded payload EXE and created service must be manually removed from the victim after exploitation, which may leave forensic artifacts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)
exploitdb·2010-09-21
CVE-2008-4037 Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)
---
##
# $Id: smb_relay.rb 10404 2010-09-21 00:13:30Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
=begin
Windows XP systems that are not part of a domain default to treating all
network logons as if they were Guest. This prevents SMB relay attacks from
gaining administrative access to these systems. This setting can be found
under:
Local Security Settings >
Local Policies >
Security Options >
Network Access: Sharing and security model for local accounts
=end
require 'msf/core'
class Metasploit3
Exploit-DB
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068)
exploitdb·2008-11-14
CVE-2008-4037 Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068)
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068)
---
* SMBRELAY 3 - NTLM replay attack (version 1.0 ) public version
* (c) 2008 Andres Tarasco Acuña ( atarasco _at_ gmail.com )
* URL: http://tarasco.org/Web/tools.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7125.zip (2008-smbrelay3.zip)
# milw0rm.com [2008-11-14]
Exploit-DB
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow
exploitdb·2003-04-25
CVE-2008-4037 Microsoft Windows 2000/XP - SMB Authentication Remote Overflow
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow
---
##########################################
# Exploit for "Authentication flaw in Windows SMB protocol" #
##########################################
# Release Date:
# April 24, 2003
#
# Code by Haamed Gheibi ([email protected])
# Salman Niksefat ([email protected])
#
# Systems Affected by this exploit:
# Windows 2000 (SP0 SP1 SP2 SP3)
# Windows XP (SP0 SP1)
#
# EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT
# WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE.
##########################################
This exploit is based on samba-2.2.8a, you can download the source code from:
http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2
or other mirrors.
First you should configure and make samb
Metasploit
MS08-068 Microsoft Windows SMB Relay Code Execution
metasploit
MS08-068 Microsoft Windows SMB Relay Code Execution
MS08-068 Microsoft Windows SMB Relay Code Execution
This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after its
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=122703006921213&w=2http://osvdb.org/49736http://secunia.com/advisories/32633http://securitytracker.com/id?1021163http://www.networkworld.com/news/2008/111208-microsoft-seven-year-security-patch.htmlhttp://www.securityfocus.com/bid/7385http://www.securityfocus.com/data/vulnerabilities/exploits/backrush.patchhttp://www.securityfocus.com/data/vulnerabilities/exploits/backrush.patch.READMEhttp://www.us-cert.gov/cas/techalerts/TA08-316A.htmlhttp://www.veracode.com/blog/2008/11/microsoft-fixes-8-year-old-design-flaw-in-smb/http://www.vupen.com/english/advisories/2008/3110http://www.xfocus.net/articles/200305/smbrelay.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-068https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6012https://www.exploit-db.com/exploits/7125http://marc.info/?l=bugtraq&m=122703006921213&w=2http://osvdb.org/49736http://secunia.com/advisories/32633http://securitytracker.com/id?1021163http://www.networkworld.com/news/2008/111208-microsoft-seven-year-security-patch.htmlhttp://www.securityfocus.com/bid/7385http://www.securityfocus.com/data/vulnerabilities/exploits/backrush.patchhttp://www.securityfocus.com/data/vulnerabilities/exploits/backrush.patch.READMEhttp://www.us-cert.gov/cas/techalerts/TA08-316A.htmlhttp://www.veracode.com/blog/2008/11/microsoft-fixes-8-year-old-design-flaw-in-smb/http://www.vupen.com/english/advisories/2008/3110http://www.xfocus.net/articles/200305/smbrelay.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-068https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6012https://www.exploit-db.com/exploits/7125
2008-11-12
Published