Security hole?

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed May 6 12:18:59 GMT 1998 

On Wed, 6 May 1998, Andrew Tridgell wrote:

> > not really: if the SMBsessetupX was made with "null session" and the first
> > tconX made with a null password to IPC$, we do not put out an error
> > message when further tconXs come in [to connect to shares].
> 
> tconX always has a null password in user level security (the password
> field would be meaningless anyway).
>  
> > if we did, then the win95 clients would drop the connection and re-issue
> > an SMBsessetupX, but this time with a username/non-null-password/domain
> > connection.
> 
> errr, is this based on wishful thinking or experience?

experience.

> I think win95
> clients are more likely to issue a totally unrelated error message or
> give "the app has performed an illegal operation".

no... ah, actually what _can_ happen is _three_ SMBsessetupXs are sent.

1) null session SMBsessetupX.  server accepts.  null tconX to IPC$.
server accepts.  null tconX to \\server\share: server rejects; client
drops connection.

2) username/non-null-password/domain SMBsessetupX.  server accepts.  null
tconX to \\server\share.  server accepts.

****OR****

2) username/non-null-password/domain SMBsesssetupX.  server _validly_
rejects because the user/pass combination is wrong; client drops
connection.

3) Network Neighbourhood throws up a password dialog (on win95) or a
user/password dialog (on NT).  new username/password/domain SMBsesssetupX.
server accepts valid password.  null tconX to \\server\share.  server
accepts.

 
> Are you sure you can tell win95 clients to "go back and authenticate
> again" ?

yes.

> What error code do you issue to do this?

can't remember.  i mistakenly put the standard DOS "invalid password" one
whatever it is, once, and got a non-null-password SMBsesssetupX
immediately afterwards.

> My bet is that there
> is no error code that will make them do this, I've certainly never
> seen one.

there is one.

> Remember that SMB authentication is a very fragile thing. Clients
> don't do the "sensible thing" when they get an error back, they tend
> to die horrible deaths instead.

we will have to walk the thin line to get the right path: it exists :-)
 
> > > The good thing is that if there is a problem then it will probably be
> > > easy to fix. The solution would almost certainly be to return a
> > > particular error code in tconx if the vuid matched a null
> > > session.
> > 
> > this is what i have seen NT server do, and the win95 or nt client then
> > sends a proper "user/non-null-pass/domain" request.
> 
> again, send me a sniff that shows this. I'm highly skeptical!

will do.
 
> note that my skepticise is based on spending quite a bit of time
> (admittedly quite a while ago) trying to get MS clients to do exactly
> this. I even tried modifying smbd to cycle through all possible error
> codes one at a time trying to find one that would make win95 clients
> behave like this. Now maybe I missed one, but I'm not going to be
> convinced by anything less than a sniff :-)

i'll do me best, andrew.

More information about the samba-ntdom mailing list