Security hole?
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue May 5 15:09:02 GMT 1998
On Wed, 6 May 1998, Andrew Tridgell wrote:
> > i don't use win95: i can do an nt wksta one, though.
>
> ok. Upload it somewhere on samba.anu.edu.au.
>
> > > then the null password
> > > will fail when the server is in user level security. The client then
> > > sends a proper session setup.
> >
> > no it doesn't :-) it converts the user to the guest account (extract from
> > reply.c):
> >
> > /* If no username is sent use the guest account */
> > if (!*user)
> > {
>
> you misread what I said. I said that a null password will fail in user
> level security. I didn't say that a null session would fail.
ah.
> They are
> very different things. You have to keep these two separate as they are
> dealt with quite dfferently. (in both cases Samba acts exactly as NT
> does, but the two cases are treated differently).
in that case, i have never dealt with "null password" in user level
security: i have only seen "null session" and "user/non-null-pass/domain"
sessions.
> > > tconXs never have usernames in them (unless you count the % hack).
> >
> > exactly: therein lies the problem.
>
> nope, that's a red herring I think.
not really: if the SMBsessetupX was made with "null session" and the first
tconX made with a null password to IPC$, we do not put out an error
message when further tconXs come in [to connect to shares].
if we did, then the win95 clients would drop the connection and re-issue
an SMBsessetupX, but this time with a username/non-null-password/domain
connection.
> > it does, and so does win95. i don't use win95 any more, but i can get you
> > an NT trace.
>
> ok, an NT trace would be good. A win95 one would be better as it would
> eliminate any possibility that it is an interaction with the domain
> client code in NT.
>
> > username was NULL: password was "length 1". i wouldn't have had a share
> > named after "nobody" come up if it wasn't.
>
> not so. Don't infer stuff from what shows up on the screen! A sniff is
> the only real way of knowing what is going on.
>
> anyway, I'll look at a sniff.
>
> The good thing is that if there is a problem then it will probably be
> easy to fix. The solution would almost certainly be to return a
> particular error code in tconx if the vuid matched a null
> session.
this is what i have seen NT server do, and the win95 or nt client then
sends a proper "user/non-null-pass/domain" request.
luke
More information about the samba-ntdom
mailing list