Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Truly Miscellaneous :: w4wghack.txt

Security Hole - Windows for Workgroups Security Hole




Bug in Windows for Workgroups, Win95 beta

Dan Shearer (itudps@lux.levels.unisa.edu.au)
Sat, 22 Jul 1995 12:42:25 +0930

   *  Messages sorted by: [ date ][ thread ][ subject ][ author ]
   *  Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95
     beta"
   *  Previous message: Cy Schubert - BCSC Open Systems Group: "Re:
     [Linux-ISP] lpr(1) bug"
   *  Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups,
     Win95 beta"

This is probably getting a bit stale by now, but I haven't seen it here.

The Samba development community have discovered a security hole in
Workgroups and Win95 beta.  Microsoft were officially informed, and
appear to have fixed the problem in the release version of Windows 95.
It still exists in Windows for Workgroups, and last I heard Microsoft
were not committing to releasing a patch for the problem, but they didn't
say they wouldn't either.

Affects
-------

Any machine with Windows for Workgroups that is running TCP/IP as a
file/print transport. Certainly Microsoft TCP/IP and most likely other
stacks as well.

Effects
-------

If the Workgroups machine shares any directory below root, a free Unix
program that uses the Microsoft SMB protocol over TCP/IP can access the
whole drive, with whatever permissions the sharename was given. These
resources are advertised on a browse list that is made available to anyone
on the local network by default, and to anyone on the Internet who knows
the machine's IP address. Any user sharing anything without a password is
automatically opening the whole disk to the whole internet (for those
that can locate the machine) and those with a password should be aware
that Workgroups has no protection against brute force attacks.

To Reproduce
------------

Start up "smbclient", and ask to connect to a resource. Then issue the
commands "cd ../" or "cd ...", which are valid according to the SMB
protocol. These servers move up to the next level directory (the one above
the one that was shared on the network) without any complaint. I have
tried other SMB servers such as Samba, Windows NT and OS/2 LAN Manager.
Samba correctly denies access, NT incorrectly does not complain but does
not appear to have a security problem, and LAN Manager handles it in the
correct manner.

Why
---

The Microsft Server Message Block (SMB) file and print sharing protocol is
an X/Open standard. The Samba client implements the X/Open protocol
properly, but these two Microsoft servers do not. As Andrew Tridgell said
recently "It is nice of them to make it an X/Open standard, but as with
most proprietry ideas it is much less rigorously tested than an RFC. For
instance, there are three completely different date and time formats used
at random throughout". So I suppose it is just the same sort of thinking
carried into implementation.

Samba
-----

You can find out about Samba at
http://lake.canberra.edu.au/pub/samba/samba.html.

Exploration
-----------

The Samba site has a link to the tcpdump patches by Andrew that understand
SMB (and also NetBEUI, incidentally.)

Samba also comes with a file system for Linux that allows SMB resources
to be mounted. Theoretically it would be possible to mount the disk of a
Workgroups server and reshare it as, say, an FTP site or a Web site :-)

Dan

   *  Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95
     beta"
   *  Previous message: Cy Schubert - BCSC Open Systems Group: "Re:
     [Linux-ISP] lpr(1) bug"
   *  Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups,
     Win95 beta"


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH