DoS attack via SAMBA smbtorture utility?

[Luke Kenneth Casson Leighton]

On Fri, 27 Aug 1999, Patrice wrote:

> Samba includes an unsuccessful login attempt to be sure that if the guest
> account is enabled on an NT server that they will not be allowed access to
> smb shared data (to login with the client.)

this is in samba's smbd (server code), when "security = server" mode is
used (_not_ the "security = domain") mode.

what happens is that the very first time an smbd process connects to the
PDC it will make an attempted connection with a deliberately bad password.
the response under these circumstances from certain versions of NT 4.0 is
to ACCEPT the connection, with guest priveleges (?!!!).

samba detects this and reports it in the log files at its maximum possible
reporting level for administrators to pick up and then deal with the NT
PDC as appropriate.

following the detection (which is only done once), the user is then
validated with the same function call, cli_session_setup(), but this time
with the correct user password.

the code used in smbd/password.c:server_validate() to probe for broken
guest behaviour is cli_session_setup(), which is exactly the same function
that is used in smbtorture to validate user connection.  however,
smbtorture does not use cli_session_setup() to do this "broken guest"
test.  maybe it should!  i think we should have a test in smbtorture
BROKENGUEST!

> Maybe this is what smbtorture is doing

it's not.

> - and maybe (?) making your "guest" account some other name would
> help?

no, it would not, please see ntbugtraq archives regarding same suggestion,
pros and cons, from.... approx six months ago, but the discussion revolved
around renaming the administrator account instead of the guest account.

usual nt-security-related reasons include things such as you can always
enumerate the users by cycling through RIDs, starting at 0x0 and going up,
and from responses you can obtain not only the user name but the domain
groups that the user is in.  restrictanonymous=0x1 is NOT sufficient to
block this, by the way.

luke (samba team, ISS X-Force Research)

p.s to improve nt network security, block all SMB access at firewall,
which must be port 139 for nt 4.0 and below and port 139 AND port 445 for
nt 5.0.

p.p.s i just realised what i said, here.  on certain versions of NT 4.0 it
is possible to specify a valid username and an invalid password and still
obtain access, if only guest access, to NT.  this is slightly higher
privileges than anonymous, and you can do a lot more with a guest account
than anonymous.  this is bad.  could we (ntbugtraq, collectively)
investigate this further?  i am away from NT boxes at present until the
6th september.

<a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
<a href="http://samba.org"        > Samba Web site                  </a>
<a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>