Netbios name %m not always correct

Christopher R. Hertel crh at ubiqx.mn.org
Sat Oct 18 17:04:39 GMT 2003


David Lee wrote:
>
:
> Yes.  The intention in both Michael's case and mine is to send a popup
> (historically WinPopup?) message to the PC that has initiated the
> connection.  Our configuring smb.conf's "print command" and "preexec" to
> do "smbclient -M ... %m ..." is simply a means to achieve that end.
> 
> If there is some other (better, more appropriate, etc.) means to that end
> we'll happily consider switching to it.  What might it (or they) be?

Well...

Do you remember about a year ago when there was a big flap about Spam-
vertising Popups on Windows systems?  Some company in Florida was selling
(at $300-ish a copy, as I recall) a bit of software that would send
pop-ups to unsuspecting (and unprotected) users across the Internet.  That's
when Microsoft started recommending that people block ports 135 and 138.

Here is the deal:

The WinPopup application, which is common on home and desktop Windows
flavors (Win9x, ME, and possibly XP-Home) uses a very old remote function
call system known as the Windows Messsanger Service.  It's documented here
and there.  Probably the best place to start would be the X/Open's
11-year-old SMB specifications.  (See the References section in my on-line
book.)

Put simply, however, the sender calls a local function that takes a
destination NetBIOS name and a message.  The message is then passed, via a
NetBIOS datagram, to the receiver.  *IF* the receiver is listening
(WinPopup running) then the message is displayed.  (Note that I don't know
what happens internally if WinPopup isn't listening.  The message may still
get processed to some extent, thus *potentially* opening some security
holes.)

With WindowsNT4 (possibly in some service pack) it was recognized that the
NetBIOS based Messanger Service was outdated and needed replacing.  The
functionality was re-implemented using Microsoft's Remote Procedure Call
(MS-RPC) system.  The basics are the same.  A message is sent to the receiver
and displayed.  I *don't* know a lot about the workings of the RPC call based
Messanger Service, but:

  - It doesn't require NetBIOS.
  - It only works on systems that support MS-RPC.

I *think* that the RPC version is on by default on some platforms, and that
it's a bit harder to turn off, but I'm not sure.  I don't known enough about
this mechanism (something I hope to rectify some day).

As far as I know, Samba has not implemented any tools for utilizing the
MS-RPC version of the Messanger Service.  Because of the potential for
abuse, there really is not much call.  On the other hand, I'm sure there's
enough code to get someone started.  It's basically an RPC call.

There should be a lot of information around the web about this.  There was a
lot of discussion when the Spam-o-grams flared up.  The recent set of
vulnerabilities are somewhat related.

  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp

Chris Hertel -)-----
Durham University Alumnus  :)

PS. Sorry, I'm not up on the utmp stuff so I'll have to skip that.

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org



More information about the samba-technical mailing list