Security hole?

Luke Kenneth Casson Leighton lkcl at
Tue May 5 15:09:02 GMT 1998

On Wed, 6 May 1998, Andrew Tridgell wrote:

> > i don't use win95: i can do an nt wksta one, though.
> ok. Upload it somewhere on
> > > then the null password
> > > will fail when the server is in user level security. The client then
> > > sends a proper session setup.
> > 
> > no it doesn't :-)  it converts the user to the guest account (extract from
> > reply.c): 
> > 
> >   /* If no username is sent use the guest account */
> >   if (!*user)
> >     {
> you misread what I said. I said that a null password will fail in user
> level security. I didn't say that a null session would fail.


> They are
> very different things. You have to keep these two separate as they are
> dealt with quite dfferently. (in both cases Samba acts exactly as NT
> does, but the two cases are treated differently).

in that case, i have never dealt with "null password" in user level
security: i have only seen "null session" and "user/non-null-pass/domain" 
> > > tconXs never have usernames in them (unless you count the % hack).
> > 
> > exactly: therein lies the problem.
> nope, that's a red herring I think. 

not really: if the SMBsessetupX was made with "null session" and the first
tconX made with a null password to IPC$, we do not put out an error
message when further tconXs come in [to connect to shares].

if we did, then the win95 clients would drop the connection and re-issue
an SMBsessetupX, but this time with a username/non-null-password/domain
> > it does, and so does win95.  i don't use win95 any more, but i can get you
> > an NT trace.
> ok, an NT trace would be good. A win95 one would be better as it would
> eliminate any possibility that it is an interaction with the domain
> client code in NT.
> > username was NULL: password was "length 1".  i wouldn't have had a share
> > named after "nobody" come up if it wasn't.
> not so. Don't infer stuff from what shows up on the screen! A sniff is
> the only real way of knowing what is going on.
> anyway, I'll look at a sniff.
> The good thing is that if there is a problem then it will probably be
> easy to fix. The solution would almost certainly be to return a
> particular error code in tconx if the vuid matched a null
> session.

this is what i have seen NT server do, and the win95 or nt client then
sends a proper "user/non-null-pass/domain" request.


More information about the samba-ntdom mailing list