[cifs-protocol] [REG:111101553031054] SystemLibraryDTC
bburgin at microsoft.com
Tue Jun 12 09:56:46 MDT 2012
Hi Andrew. We made some progress on this issue. Below is the response from Jay Simmons who researched this for you. Jay agreed to join this thread.
"Thanks for your extreme patience on this issue. Your findings were correct – Windows servers up through Windows Server 2003 will attempt to use the well-known key “SystemLibraryDTC” to decrypt data, if no SMB session has been established for the incoming client (which is usually the case when invoking RPC calls over TCP). Windows servers after WS03 behave only slightly better – for those OS versions, a “random” key will be used whose contents depend on memory\stack contents at the time the call is made. While the server-side behavior is not ideal, the client must still first be authenticated and authorized for the operation (eg, password set) to be allowed. Therefore the security vulnerability lies in the fact that the client chose to expose sensitive data to a potential wire-sniffing attack, by using an insecure means of making the call in the first place (this assumes that RPC-level transport security was not leveraged to protect the data). Note that we explicitly document in MS-SAMR (see section 2.1) which calls must be made using RPC-over-SMB, at least in part for preventing exactly this problem. No Windows client will ever invoke such a call (ie, one with SMB-session-key encrypted parameters) without an SMB session.
"This probably goes without saying, but please do not attempt to rely on this behavior as it will likely be blocked at some point in the future.
"Feedback welcomed, especially if you think we have misunderstood the security implications of the issue."
Please let us know your feedback.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, February 12, 2012 10:36 PM
To: Bryan Burgin
Cc: 'cifs-protocol at cifs.org'; MSSolve Case Email; Tarun Chopra
Subject: RE: [cifs-protocol] [REG:111101553031054] SystemLibraryDTC
On Mon, 2012-02-13 at 06:21 +0000, Bryan Burgin wrote:
> I'm touching base to see if you can provide the exact smbtorture steps to reproduce your issue.
bin/smbtorture ncacn_np:win2003r2-2[seal] rpc.lsa.secrets -Uadministrator%penguin
win2003r2-2 is naturally a win2003r2 server, currently not a DC.
I note with interest that this test fails with NO_USER_SESSION_KEY in win2k8r2, so I would like to know when this was changed and any important details, so we on the Samba Team can assess removing SystemLibraryDTC eventually.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol