Security hole?
Luke Kenneth Casson Leighton
lkcl at regent.push.net
Tue May 5 10:28:04 GMT 1998
On Mon, 4 May 1998, Andrew Tridgell wrote:
> > I've heard recently that NT had a weakness because it accepted
> > the so called 'null sessions', so that one machine could administer
> > another NT remotely, without providing a username and password. I
> > found a small program on Internet, named QTIP, that can query any NT
> > machine and get many useful information from it, such as a list of
> > users, list of shares, information about a user (for instance, user
> > cannot change password). I've tested this program against one NT4
> > server under my administration, accross the Internet, and it worked!
> > The bad part is that it worked against SAMBA NTDOM too!
>
> null sessions are needed to allow for browse list propogation. Without
> them two hosts can't synchronise their browse lists. (how would you
> enter a password while synchronizing browse lists?)
>
> You are right that null sessions can also be used to obtain
> information. You can obtain a shares list and the name of the
> workgroup etc. I never considered this to be a security hole.
>
> What you should be doing is using the "hosts allow" and "hosts deny"
> options to restrict access to your server to hosts that you want to be
> able to get in. Hosts not listed won't be able to synch browse lists,
> so you would normally set the list to include your organisations local
> subnets and loopback.
>
> > Am I mistaked? Does this really constitute a security hole that
> > samba is vulenrable? I've heard also that NT4 with SP3 can, if the
> > administrator knows, be setup on the registry to not accept 'null
> > sessions'. Wouldn't it be interesting to samba do the same?
>
> hmmm, if you set this option in NT then how does browse list
> propogation work? There is no way you could do inter-subnet browsing
> without null sessions.
the win95 and nt clients, if you reject null sessions on IPC$, reconnect
with the currently logged-in username and password. i have been
mentioning this since january.
it also solves the [homes] problem.
luke
More information about the samba-ntdom
mailing list