Bug in Windows for Workgroups, Win95 beta Dan Shearer (itudps@lux.levels.unisa.edu.au) Sat, 22 Jul 1995 12:42:25 +0930 * Messages sorted by: [ date ][ thread ][ subject ][ author ] * Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95 beta" * Previous message: Cy Schubert - BCSC Open Systems Group: "Re: [Linux-ISP] lpr(1) bug" * Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95 beta" This is probably getting a bit stale by now, but I haven't seen it here. The Samba development community have discovered a security hole in Workgroups and Win95 beta. Microsoft were officially informed, and appear to have fixed the problem in the release version of Windows 95. It still exists in Windows for Workgroups, and last I heard Microsoft were not committing to releasing a patch for the problem, but they didn't say they wouldn't either. Affects ------- Any machine with Windows for Workgroups that is running TCP/IP as a file/print transport. Certainly Microsoft TCP/IP and most likely other stacks as well. Effects ------- If the Workgroups machine shares any directory below root, a free Unix program that uses the Microsoft SMB protocol over TCP/IP can access the whole drive, with whatever permissions the sharename was given. These resources are advertised on a browse list that is made available to anyone on the local network by default, and to anyone on the Internet who knows the machine's IP address. Any user sharing anything without a password is automatically opening the whole disk to the whole internet (for those that can locate the machine) and those with a password should be aware that Workgroups has no protection against brute force attacks. To Reproduce ------------ Start up "smbclient", and ask to connect to a resource. Then issue the commands "cd ../" or "cd ...", which are valid according to the SMB protocol. These servers move up to the next level directory (the one above the one that was shared on the network) without any complaint. I have tried other SMB servers such as Samba, Windows NT and OS/2 LAN Manager. Samba correctly denies access, NT incorrectly does not complain but does not appear to have a security problem, and LAN Manager handles it in the correct manner. Why --- The Microsft Server Message Block (SMB) file and print sharing protocol is an X/Open standard. The Samba client implements the X/Open protocol properly, but these two Microsoft servers do not. As Andrew Tridgell said recently "It is nice of them to make it an X/Open standard, but as with most proprietry ideas it is much less rigorously tested than an RFC. For instance, there are three completely different date and time formats used at random throughout". So I suppose it is just the same sort of thinking carried into implementation. Samba ----- You can find out about Samba at http://lake.canberra.edu.au/pub/samba/samba.html. Exploration ----------- The Samba site has a link to the tcpdump patches by Andrew that understand SMB (and also NetBEUI, incidentally.) Samba also comes with a file system for Linux that allows SMB resources to be mounted. Theoretically it would be possible to mount the disk of a Workgroups server and reshare it as, say, an FTP site or a Web site :-) Dan * Next message: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95 beta" * Previous message: Cy Schubert - BCSC Open Systems Group: "Re: [Linux-ISP] lpr(1) bug" * Next in thread: Dan Shearer: "Re: Bug in Windows for Workgroups, Win95 beta"