SMB Security Hole 16
Thangorodrim writes "First saw this at
SecurityFocus, but it seems as if someone at COTDC finally got around to coding a nice SMB session hijacker for NT/2000. I've tested this on some machines...its pretty brutal. And just in time to coincide
with the release of l0phtcrack 3.0... The story linked doesn't have a link to the actual utility, but you can grab it here." *cough* For testing purposes only, of course.
Re:Downward Spiral? (Score:1)
I'd guess you have that philosophy, the answer is clear: DON'T RUN SMB. Also, don't run various other useful interal protocols such as NFS, NetWare v3/Bindary, IMAP, telnet, ftp, legacy host terminal emu, etc etc etc either, because they all suffer from the same no/weak security problem, unless you've put in something like IPSEC underneath (or the poor-man's version, SSH tunnels).
Well, at the very least a pure Win2000/Active Directory network is immune to most of the stupid legacy 80s hacks such as the ones covered in this article. Don't know enough to say that it doesn't have other issues.
--
Re:Samba (Score:1)
Could be a matter of time...
Link.
Re:Downward Spiral? (Score:1)
But it's common wisdom that the greatest threat is from the inside--from the people that know the network and who have the ability to, say, get to a desktop machine and turn off encrypted authentication. And if there's one box on the subnet that can't do encrypted authentication (and thus the authenticating server can't require it), boom. That user account is compromised along with the trade secrets, payroll data, or personal emails that the inside person is after.
I agree that this problem has been known about just short of forever.
Re:Downward Spiral? (Score:1)
I'd guess you have that philosophy, the answer is clear: DON'T RUN SMB
Or, you could do what any half-way competent network manager did five years ago - throw out your hubs and move to a switched network fabric. Unless evil_hax0r gets physical access to the switch's mirror port, there's no problem with SMB (telnet, ftp, pop...)
--
If the good lord had meant me to live in Los Angeles
Re:Downward Spiral? (Score:1)
--
If the good lord had meant me to live in Los Angeles
Re:Downward Spiral? (Score:1)
--
If the good lord had meant me to live in Los Angeles
Re:Downward Spiral? (Score:1)
Re:Samba (Score:1)
Re:Downward Spiral? (Score:1)
Anyone who tells you switched networks are invulnerable to sniffing is lying. Its just a little harder to do. There are some tools (which I won't name, for the sake of my karma) that do both.
-t
Re:Samba (Score:1)
Incidentally, I tested out netscape, its ITS default behavior for file:// links is FTP...
Re:Downward Spiral? (Score:1)
I believe that there's a direct correlation between the amount of time a product has been available and the number of holes found in that product.
Take for example W2K. When it was first released, there were zero (count 'em, zero) security holes found in it. Now that a little while has passed, we have a whole slew of them!
I noticed this also works with humans as well. When born, a human has almost a close to zero chance of having had a disease. Look 60 years later and the odds that a disease was caught goes up astronomically.
You, sir, are a genius.
Dancin Santa
Re:Downward Spiral? (Score:2)
even if nt's implementation is flawed, it at least has the design, like users, permissions, and some seperation of kernel- and user-space.
with that said, a default install of nt (dunno about win2k, never touched it) is so horrible that it brings the overall security of the system almost down to the win9x level. which is to say none at all. come on, who besides msft would ship a product with the filesystem permissions blown wide open by default?
but the moral of this story is: don't use default installs on production systems. even if they aren't windows.
---
Samba (Score:2)
Downward Spiral? (Score:2)
Re:Downward Spiral? (Score:3)
As the article points out, Microsoft long ago fixed this with NTLMv2. What the article didn't point out, was that this "new" exploit has been known about for at least 5 years, if not 10 or 15 years. The short answer is that most SMB networks are safely firewalled away, and the admins could give a crap about the authentication security.
The reason people are still vulnerable is that Microsoft loathes to break backwards compatibility. Switching authentication protocols also "breaks" Samba, I believe, which I'm sure many slashdot readers would ascribe to malice. Contrary to your assumption, as older products go away, Microsoft's products will become more secure.
Anyway, just another reason not to hire paper MCSEs...
--
Re:Downward Spiral? (Score:3)
Time definately makes holes more obvious, but product quality has a much more significant impact. For example, consider IE, Netscape 4.x, IIS, and wu-ftp. All of the above products have had a very poor security history, and holes are still being discovered. My guess is that holes will continually be discovered until the products are sigificantly rewritten or audited. On the other hand, look at Apache or QMail: Time has not brought out a significant increase in security fixes.
--