ALERT: Latest CVS repository code can cause DoS in LSASS.EXE.

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Oct 20 20:15:28 GMT 1999 

More info on this.

It is _safe_ to use the latest cvs main development version of smbclient /
rpcclient to connect to an NT 4.0 Service Pack 4 or Service Pack 5 PDC *as
long as*:

- a user has successfully logged on at the console _at least_ once on the
PDC that the latest cvs main development version of smbclient / rpcclient
will be connecting to.

OR:

- a user has successfully connected to an SMB share using any SMB client
*other* than the latest cvs main development version of smbclient /
rpcclient.  it is worthwhile explicitly explaining that "any SMB client"
includes windows clients such as all versions of NT, 95 and 98, and all
stable releases of all samba clients such as smbclient and smbfs.

OR:

- the connection to the PDC is made anonymously (using the smbclient and
rpcclient option -U %).

- the smb.conf option "client ntlmv2 = no" is set and the smbclient /
rpcclient tools read the correct smb.conf file with this option set.  (i
mention this because personally i often run smbclient or rpcclient as a
non-root user with the default smb.conf file /usr/local/samba/lib/smb.conf
privileges set to require root access.  the _default_ option for "client
ntlmv2 = auto" then comes into effect, as the smb.conf file is unreadable,
which will cause the DoS in LSASS.EXE).

the reason i am mentioning all of this is because the samba team relies on
the goodwill of its users to use and test development versions.  it is
therefore our responsibility to inform you if such testing would cause
severe problems on your network!

best regards,

luke (samba team, iss x-force research).

On Tue, 19 Oct 1999, Luke Kenneth Casson Leighton wrote:

> if you are using the latest stable samba source (all officially released
> versions of samba up to and including 2.0.5b), please ignore this message
> it is NOT relevant to you.
> 
> for those people who are tracking the latest samba developments, you
> should be aware that certain configurations of smbclient / rpcclient can
> cause LSASS.EXE to die with certain configurations of NT 4.0 Service Pack
> 4.  the repercussions of this are that you will need to reboot or even
> power-cycle the machine.
> 
> i thought it best to let you know immediately as i do not want your
> systems to die when you were expecting an "smb: />" prompt instead!
> 
> i am investigating the parameters of the problem and i recommend that you
> use a cvs snapshot from two weeks ago if you need to use smbclient /
> rpcclient's latest enhancements (NTLMv2, Win2000 compatibility etc).
> 
> regards,
> 
> luke (samba team, iss x-force research).
> 
> <a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
> <a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
> <a href="http://samba.org"        > Samba Web site                  </a>
> <a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>
> 
> 

<a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
<a href="http://samba.org"        > Samba Web site                  </a>
<a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>

More information about the samba-ntdom mailing list