svn commit: samba r4885 - in branches/SAMBA_4_0/source: include
libcli libcli/nbt librpc librpc/idl librpc/ndr
Andrew Tridgell
tridge at osdl.org
Fri Jan 21 22:11:37 GMT 2005
Chris,
> Again, I'm not sure how the attack you're describing works.
Imagine you have a WINS server, and clients that do predictable TRNs
in wins lookups. Now imagine you have been a very conscientious
administrator and used fixed names/ips in WINS to prevent WINS
pollution attacks (or uses a dhcp->wins gateway).
An attacker would do this:
- listen for dhcp/arp startup signatures of booting clients
- when it happens, predict the TRN that will be used for the initial
"where is my server" WINS lookup
- spoof a reply packet, using the WINS servers source IP, and the
predicted TRN id
With random TRN ids this becomes _much_ harder. Not impossible, but
hard enough that the traffic flood will hopefully be noticed.
> Question: The function call you cited starts with NDR_. How does
> NDR encoding relate to NBT? Do you bypass the NDR encoding itself?
It uses "extended IDL/NDR" that pidl supports. The thing to notice is
that NBT uses an encoding very similar to NDR, which is why its so
easy.
Before someone asks, the situation is quite different for the SMB
protocol. Most of that is too irregular to be done as IDL/NDR (at
least while keeping the IDL reasonably sane).
Cheers, Tridge
More information about the samba-technical
mailing list