SMB Security Hole

Thangorodrim writes "First saw this at SecurityFocus, but it seems as if someone at COTDC finally got around to coding a nice SMB session hijacker for NT/2000. I've tested this on some machines...its pretty brutal. And just in time to coincide with the release of l0phtcrack 3.0... The story linked doesn't have a link to the actual utility, but you can grab it here." *cough* For testing purposes only, of course.

Re:Downward Spiral?

[IntlHarvester]

But it's common wisdom that the greatest threat is from the inside

I'd guess you have that philosophy, the answer is clear: DON'T RUN SMB. Also, don't run various other useful interal protocols such as NFS, NetWare v3/Bindary, IMAP, telnet, ftp, legacy host terminal emu, etc etc etc either, because they all suffer from the same no/weak security problem, unless you've put in something like IPSEC underneath (or the poor-man's version, SSH tunnels).

Well, at the very least a pure Win2000/Active Directory network is immune to most of the stupid legacy 80s hacks such as the ones covered in this article. Don't know enough to say that it doesn't have other issues.

--

Re:Samba

[TheLink]

All you have to do is just wait for KDE/Gnome etc to add that :).

Could be a matter of time...

Link.

Re:Downward Spiral?

[acceleriter]

The short answer is that most SMB networks are safely firewalled away

But it's common wisdom that the greatest threat is from the inside--from the people that know the network and who have the ability to, say, get to a desktop machine and turn off encrypted authentication. And if there's one box on the subnet that can't do encrypted authentication (and thus the authenticating server can't require it), boom. That user account is compromised along with the trade secrets, payroll data, or personal emails that the inside person is after.

I agree that this problem has been known about just short of forever.

Re:Downward Spiral?

[imipak]

But it's common wisdom that the greatest threat is from the inside

I'd guess you have that philosophy, the answer is clear: DON'T RUN SMB

Or, you could do what any half-way competent network manager did five years ago - throw out your hubs and move to a switched network fabric. Unless evil_hax0r gets physical access to the switch's mirror port, there's no problem with SMB (telnet, ftp, pop...)
--
If the good lord had meant me to live in Los Angeles

Re:Downward Spiral?

[imipak]

er, no, you can't...
--
If the good lord had meant me to live in Los Angeles

Re:Downward Spiral?

[imipak]

ARP poisoning attacks... Hmmm, well, yes, you're right. But it does make it much harder - rules out the snort-kiddies, anyway.
--
If the good lord had meant me to live in Los Angeles

Re:Downward Spiral?

[Thangorodrim]

"throw out your hubs and move to a switched network fabric" This can help, but of course you can sniff on a switched network ;) -Thang

Re:Samba

[Thangorodrim]

Samba doesn't have the "client" side functionality that Windows has. In other words, its hard to trick the target into making that initial SMB session request. On a windows system, typing "file://w.x.y.z/blah.txt" will initiate an SMB session request if w.x.y.z is remote. On a linux box, it won't do anything. -thang

Re:Downward Spiral?

[Thangorodrim]

Of course you can. Switched networks are vulnerable to ARP poisoning attacks...and are thus vulnerable to sniffing and session hijacking.

Anyone who tells you switched networks are invulnerable to sniffing is lying. Its just a little harder to do. There are some tools (which I won't name, for the sake of my karma) that do both.

-t

Re:Samba

[Thangorodrim]

Actually, although I don't use samba much, I'm almost positive that there a netscape plugin that will make netscape use SMB-type browsing.

Incidentally, I tested out netscape, its ITS default behavior for file:// links is FTP...

Re:Downward Spiral?

[Dancin_Santa]

As any OS 'ages', more holes will be found.

I believe that there's a direct correlation between the amount of time a product has been available and the number of holes found in that product.

Take for example W2K. When it was first released, there were zero (count 'em, zero) security holes found in it. Now that a little while has passed, we have a whole slew of them!

I noticed this also works with humans as well. When born, a human has almost a close to zero chance of having had a disease. Look 60 years later and the odds that a disease was caught goes up astronomically.

You, sir, are a genius.

Dancin Santa

Re:Downward Spiral?

[Phexro]

well, even with the crappy security that's become the norm with msft products, an os using a nt kernel will always be more secure than an os using a 9x kernel.

even if nt's implementation is flawed, it at least has the design, like users, permissions, and some seperation of kernel- and user-space.

with that said, a default install of nt (dunno about win2k, never touched it) is so horrible that it brings the overall security of the system almost down to the win9x level. which is to say none at all. come on, who besides msft would ship a product with the filesystem permissions blown wide open by default?

but the moral of this story is: don't use default installs on production systems. even if they aren't windows.
---

Samba

[danpbrowning]

How does samba avoid this hole? (Better design in the first place? Or saw the problem and fixed it?)

Downward Spiral?

[CliffSpradlin]

As win2k "ages" it seems as though more and more holes in it are being found. Could this eventually make win2k as unsecure as Win9x?

Re:Downward Spiral?

[IntlHarvester]

Great karma score for saying nothing.

As the article points out, Microsoft long ago fixed this with NTLMv2. What the article didn't point out, was that this "new" exploit has been known about for at least 5 years, if not 10 or 15 years. The short answer is that most SMB networks are safely firewalled away, and the admins could give a crap about the authentication security.

The reason people are still vulnerable is that Microsoft loathes to break backwards compatibility. Switching authentication protocols also "breaks" Samba, I believe, which I'm sure many slashdot readers would ascribe to malice. Contrary to your assumption, as older products go away, Microsoft's products will become more secure.

Anyway, just another reason not to hire paper MCSEs...
--

Re:Downward Spiral?

[IntlHarvester]

Actually, a Index Server hole was found between RTM and launch. Thus, when Windows 2000 was released, there was already a hotfix waiting for it.

Time definately makes holes more obvious, but product quality has a much more significant impact. For example, consider IE, Netscape 4.x, IIS, and wu-ftp. All of the above products have had a very poor security history, and holes are still being discovered. My guess is that holes will continually be discovered until the products are sigificantly rewritten or audited. On the other hand, look at Apache or QMail: Time has not brought out a significant increase in security fixes.
--