Bug in Windows for Workgroups, Win95 beta



Dan Shearer (itudps@lux.levels.unisa.edu.au)

Sat, 22 Jul 1995 12:42:25 +0930



   *  Messages sorted by: [ date ][ thread ][ subject ][ author ]

   *  Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95

     beta"

   *  Previous message: Cy Schubert - BCSC Open Systems Group: "Re:

     [Linux-ISP] lpr(1) bug"

   *  Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups,

     Win95 beta"



This is probably getting a bit stale by now, but I haven't seen it here.



The Samba development community have discovered a security hole in

Workgroups and Win95 beta.  Microsoft were officially informed, and

appear to have fixed the problem in the release version of Windows 95.

It still exists in Windows for Workgroups, and last I heard Microsoft

were not committing to releasing a patch for the problem, but they didn't

say they wouldn't either.



Affects

-------



Any machine with Windows for Workgroups that is running TCP/IP as a

file/print transport. Certainly Microsoft TCP/IP and most likely other

stacks as well.



Effects

-------



If the Workgroups machine shares any directory below root, a free Unix

program that uses the Microsoft SMB protocol over TCP/IP can access the

whole drive, with whatever permissions the sharename was given. These

resources are advertised on a browse list that is made available to anyone

on the local network by default, and to anyone on the Internet who knows

the machine's IP address. Any user sharing anything without a password is

automatically opening the whole disk to the whole internet (for those

that can locate the machine) and those with a password should be aware

that Workgroups has no protection against brute force attacks.



To Reproduce

------------



Start up "smbclient", and ask to connect to a resource. Then issue the

commands "cd ../" or "cd ...", which are valid according to the SMB

protocol. These servers move up to the next level directory (the one above

the one that was shared on the network) without any complaint. I have

tried other SMB servers such as Samba, Windows NT and OS/2 LAN Manager.

Samba correctly denies access, NT incorrectly does not complain but does

not appear to have a security problem, and LAN Manager handles it in the

correct manner.



Why

---



The Microsft Server Message Block (SMB) file and print sharing protocol is

an X/Open standard. The Samba client implements the X/Open protocol

properly, but these two Microsoft servers do not. As Andrew Tridgell said

recently "It is nice of them to make it an X/Open standard, but as with

most proprietry ideas it is much less rigorously tested than an RFC. For

instance, there are three completely different date and time formats used

at random throughout". So I suppose it is just the same sort of thinking

carried into implementation.



Samba

-----



You can find out about Samba at

http://lake.canberra.edu.au/pub/samba/samba.html.



Exploration

-----------



The Samba site has a link to the tcpdump patches by Andrew that understand

SMB (and also NetBEUI, incidentally.)



Samba also comes with a file system for Linux that allows SMB resources

to be mounted. Theoretically it would be possible to mount the disk of a

Workgroups server and reshare it as, say, an FTP site or a Web site :-)



Dan



   *  Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95

     beta"

   *  Previous message: Cy Schubert - BCSC Open Systems Group: "Re:

     [Linux-ISP] lpr(1) bug"

   *  Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups,

     Win95 beta"





This page was created Wed Aug 11 23:48:21 EDT 1999


Using Linux
 version 2.0.32
 on an i586

Copyright (C) 1999 - Matarese.com