[Samba] IPC$ share accessible with arbitrary usernames/passwords

Andrew Bartlett abartlet at samba.org
Tue Nov 19 07:50:01 GMT 2002 

On Tue, 2002-11-19 at 16:05, kirk johnson wrote:
> 
> MM = M Maki (1 Oct 2002)
> AB = Andrew Bartlett (2 Oct 2002)
> 
>  MM > I have a couple of Samba (2.0.7 & 2.2.0) servers I scanned with
>     > Nessus and they reported a security hole of "Possible to login
>     > to the remote host using a NULL session" I have a couple of NT
>     > servers I disabled with a registry edit. Is there a way to
>     > prevent this on the Samba servers or is it evan a valid issue?
> 
>  AB > Samba HEAD starts to add some of this, but the manpage is
>     > compleatly inaccurate...
>     >
>     > Set 'restrict anonymous = 1' should get you the start.
>     >
>     > I'm looking into how to best implement 'restrict anonymous = 2'.
>     >
>     > In the meantime, if you set 'auth methods = sam' (for standalone
>     > servers) then it will skip the 'guest' module, and deny all
>     > anonymous connections.  However, this will break browsing and
>     > other services.
> 
> i have the same basic question -- i'm running samba 2.0.6 on some
> linux boxes, and nessus complains about several "Risk factor: High"
> bugs that all seem to boil down to the fact that IPC$ can be accessed
> with any username and password.
> 
> i tried both the 'restrict anonymous = 1' and 'auth methods = sam'
> tweaks suggested by andrew, but neither seems to make a difference --
> smbclient can still connect to \\targethost\IPC$ using arbitrary
> usernames and passwords.

Both options are only in Samba 3.0. Run 'testparm', before you wonder
why an option doesn't work.

> i'm also unclear (both from my own lack of windows/samba knowledge and
> from andrew's answer, quoted above) whether or not the ability to
> access IPC$ using arbitrary usernames/passwords is actually a security
> issue with samba/linux, or if this is perhaps only an issue for
> genuine microsoft SMB implementations?

It's an information leak - an unauthenticated user can find out a list
of all users.  Interestingly, much of this information can be inferred
from other calls that are not controlled by 'restrict anonymous = 1'.

> i've searched far and wide on th' net trying to find more information
> about this, but other than the two e-mail messages quoted above, have
> pretty much failed miserably.
> 
> any further information on this subject (e.g., whether or not IPC$
> being exposed in this way is actually a security risk, possible
> workarounds, including upgrading to newer versions of samba, etc.)
> that folks might be able to provide would be much appreciated.

Samba 3.0 implements 'restrict anonymous = 1'.  I'm about to add
'restrict anonymous = 2' support.  (Which locks down all guest access to
IPC$, but breaks lots of things, like PDC and browse mater support).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021119/a66b733e/attachment.bin

More information about the samba mailing list