SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts

James Sutherland jas88 at cam.ac.uk
Thu Feb 10 07:33:09 GMT 2000


On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote:

> On Thu, 10 Feb 2000, James Sutherland wrote:
> 
> > On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote:
> > 
> > > > > This trick is bad. The SAM daemon should only open its DB at startup and
> > > > > after any event where it must close it for maintenance (say,
> > > > > rewriting). Access to the records in SAM db must be controlled not by
> > > > > the DB's file permissions but by code in the SAM daemon (and ACLs,
> > > > > implicit or explicit, in the SAM DB).
> > > > 
> > > > Agreed - if Unix file permissions are used, then either users have full
> > > > access to the entire SAM file, or no access to it at all. Neither is
> > > > really desirable, I suspect? :)
> > > 
> > > well, that's microsoft's stupid fault, they shouldn't have allowed
> > > anonymous access to the damn SAM database over DCE/RPC.
> > > 
> > > i.e if you can get the SAM remotely using DCE/RPC, who give a *monkey's*
> > > if the same info (and only the same info) is available by telnet to a box
> > > and vi some-sam-database-file????
> > 
> > One problem: If I can write the password list file (so I can change my
> > password), I can also write to anyone ELSE's password entry. Not to
> > mention read their (plaintext equivalent) password.
> 
> yes.  that's why i have owner-root, rw-r--r-- permissions on the SAM
> files, and why i want to create a syskey-like angorithm.

i.e. make the data available to any user, albeit obfuscated. Even MS
aren't that bad...

> or create an equivalent of /etc/shadow.

Which is what I was suggesting.

> > I know there are problems (BIG problems) with NT's protection (or lack
> > thereof) of the SAM database, but I didn't think it allowed anonymous
> > users to download the passwords?
> 
> you're absolutely correct, they don't.... *giggle*
> 
> what makes you think i will, either?

You just stuck the data in a world-readable file. OK, you want to
obfuscate it with some sort of encryption (bang go performance and/or
scalability; security died a few minutes ago) - but you still want the
data publicly available.

> [actually, if you add a BDC to a domain using NT4, you can use rpcclient's
> samsync command to pretend to be that BDC because the trust account
> password is BDCNAMEUNICODELOWERCASE, and grab the entire SAM database
> anonymously.  the window of opportunity is between when the BDC is added
> to the domain during the BDC-install stage and when the BDC installation
> is compelted and yuou are presented , for the first time, with the
> ctrl-alt-delete box on the BDC.
> 
> so yes, microsoft allows anonymous users to download the passwords, but
> not in the way you perceive or describe.
> 
> the word from microsoft is that microsoft does not consider this to be a
> serious security risk, by the way.  oh, and they've probably fixed it
> for nt5.]

This is an accidental security hole which they have now fixed - and you
want to copy and expand it!?


James.



More information about the samba-technical mailing list