NT Versions Affected:

3.5, 3.51, 4.0


SMB sessions can be hijacked. Having the correct frame numbers at the transport level, the correct TID at the redirector level, and the correct UID at the server level allow you to impersonate an administrator or other user.

Regedit/regedt32 and other RPCs which use named pipes also use SMB UIDs for authentication and can be taken over via this method.

This requires the use of an appliction that combines a combination of Sequence attack and UID/TID spoofing.


http://www.microsoft.com/kb/articles/q102/7/20.htm (last paragraph)

ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt (search page for '8.5.1')