Passthough security fix.

Andrew Tridgell tridge at samba.anu.edu.au
Tue Apr 21 02:30:18 GMT 1998


> > Also, you'll need to send the random garbage first, not 2nd.
> 
> I don't see that. You need to send the good password first,
> as if you send a bad password first then how do you tell
> the difference between a real bad password and the random
> one.

I thought it would be best to send the garbage first because if you
are talking to a server that maps uid to vuid directly and stores a
vuid->authenticated flag then you could get two nasty
effects. Firstly, the server could look at the username and say "oh,
that's authenticated already, I can just return yes without going
through all that messy encryption code". If it didn't do that (and I
admit that isn't all that likely) then it could still hit a problem
when you then try and do the TconX. It could look up a
vuid->authenticated flag and say "unathenticated - go away!".

In fact, early versions of Samba would have done exactly this, so it
isn't beyond the realm of possibility that it could happen. It is
certainly within spec and wouldn't break any "normal" operation.

I imagine:

1). session_setup_and_X with the bad password. (making sure random
    password != real password). If this succeeds then it is guest no
    matter what the guest bit is.

2). session_setup_and_X with the good password. Look at the guest bit
    in the result as we currently do.

The first check is solely to test for broken NT servers. The 2nd test
is exactly what we do now.

Cheers, Andrew


More information about the samba-technical mailing list