Security hole?

Andrew Tridgell tridge at samba.anu.edu.au
Tue May 5 14:40:09 GMT 1998 

> i don't use win95: i can do an nt wksta one, though.

ok. Upload it somewhere on samba.anu.edu.au.
  
> > then the null password
> > will fail when the server is in user level security. The client then
> > sends a proper session setup.
> 
> no it doesn't :-)  it converts the user to the guest account (extract from
> reply.c): 
> 
>   /* If no username is sent use the guest account */
>   if (!*user)
>     {

you misread what I said. I said that a null password will fail in user
level security. I didn't say that a null session would fail. They are
very different things. You have to keep these two separate as they are
dealt with quite dfferently. (in both cases Samba acts exactly as NT
does, but the two cases are treated differently).

> > tconXs never have usernames in them (unless you count the % hack).
> 
> exactly: therein lies the problem.

nope, that's a red herring I think. 

> it does, and so does win95.  i don't use win95 any more, but i can get you
> an NT trace.

ok, an NT trace would be good. A win95 one would be better as it would
eliminate any possibility that it is an interaction with the domain
client code in NT.

> username was NULL: password was "length 1".  i wouldn't have had a share
> named after "nobody" come up if it wasn't.

not so. Don't infer stuff from what shows up on the screen! A sniff is
the only real way of knowing what is going on.

anyway, I'll look at a sniff.

The good thing is that if there is a problem then it will probably be
easy to fix. The solution would almost certainly be to return a
particular error code in tconx if the vuid matched a null
session. That is basically the only mechanism that would be available
for a server to avoid this client problem.

My bet is that it will turn out not to be a null session problem at
all :-)

There are funamental flaws in the user security model employed in SMB
as I've explained on the CIFS digest a couple of times, and the
problems are related to the handling of null passwords and null
sessions, but the problems don't give rise to the symptoms you've
described.

Cheers, Andrew

More information about the samba-ntdom mailing list