[jcifs] Follow-Up: Method logonLogoff() in class SmbSession

Michael B. Allen miallen at eskimo.com
Sun Jan 12 06:27:06 EST 2003

On Sat, 11 Jan 2003 12:25:11 +0100
"Marc Lehmann" <marc.lehmann at freenet.de> wrote:

> Dear Michael,
> You may have a look at the class SmbTest attached with my previous email.
> http://lists.samba.org/pipermail/jcifs/2003-January/003071.html
> SmbTest does the following:
> 1. Get domain, account and password. WINS is taken from the command line. Respective timeout values are set to "0".
> 2. Resolve for domain controller. Get challenge from domain controller.
> 3. Create NtlmPasswordAuthentication object providing domain, account and password.
> 4. Get LMhash and NThash from above object. Supposing they resemble the hashes provided by IE during NTLM authentication.
> 5. Create another NtlmPasswordAuthentication object providing LMhash and NThash.
> 6. Call logon() with second NtlmPasswordAuthentication object. This yields 'logon OK' provided correct credentials have been set in step 1.
> 7. Invalidate LMhash and NThash. (Setting all bytes to "0".)
> 8. Create another NtlmPasswordAuthentication object providing invalid hashes.
> 9. Call logon() with third NtlmPasswordAuthentication object. This always yields 'logon OK'.
> The effect in step 9 doesn't look right to me. Could this possibly be exploited as a security backdoor?
> I may use your library in a way not anticipated yet. I only need to
> authenticate a user once to provide an access token upon successful
> authentication. A user with a valid access token wouldn't need to go
> through NTLM authencation again. Having this use case I strongly feel
> a method like logonLogoff() would make sense to discard SMB specific
> resources as soon as possible. What do you think?

Did you read my last reply? I replied to the list and your infineon
address. If so then one of us is misunderstanding the other. If you
insert a new step 9 that sleeps for jcifs.smb.client.soTimeout + 1 what
happens in step 10? Now think about in practice what will happen if your
soTimeout is say 5 seconds.

Bottom line: A different user would have to log into your application
every 5 seconds for credentials be cached longer than that. Not likely.

A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and, more important, to tasks that have not
yet been conceived. 

More information about the jcifs mailing list