necessary to bind TCP/IP to Microsoft network client?

Erik Corry ec at sign-tronic.dk
Mon Nov 3 09:58:44 GMT 1997 

Dieter Rothacker wrote:
> Simon Hyde wrote:
> > Jeff Wiegley wrote:
> > >my office mate says that TCP/IP should not be bound to
> > >any clients since then that allows the security loop
> > >hole that people on the outside internet can access
> > >ourfile systems on the those clients.
> >
> > Samba only works over TCP/IP, therefore you have to bind the clients to
> > TCP/IP. However I believe the particular security whole you are talking
> > about is the winnuke bug, for which there are quite a few fixes hanging
> > around, just stick 'winnuke' into yahoo and it should flag up some pages
> > with useful information on how to solve this particular problem.
> 
> No, I believe they worry about having no "Allow clients =" line in
> Windows, so if you enable NB over TCP/IP, everybody in the whole world
> can access your shares if they are not password protected.
> I do not know a solution to this, however it seems that in Win98 betas
> there is a switch "access for local hosts only" or something...

I think it's even worse than this. With a special URL, you can trick
Microsoft Internet Explorer into attempting to connect to a share on the
machine of the cracker. This means the cracker's machine gets hold of
the password in cleartext.  See <http://www.security.org.il/msnetbreak/>

There's even the possibility of doing this if only encrypted passwords
are in use. By looping back the challenges to the users machine or
the server machine on the user's net, the cracker can use a classic
man-in-the-middle attack to gain access to your server even if you use
encrypted passwords. I don't know whether this actually works, but
discussions on Ntbugtraq seem to indictate that it might. See
<http://www.ee.washington.edu/computing/iebug/> but be prepared to 
change your password afterwards if you are using NT. I'd be interested
to hear if the SMB experts here think there's a good reason this won't
work.

The conclusion seems to be that you _must_ block ports 137, 138 and 139
at your firewall/router. If you connect a Windows machine directly to the
net with a modem, you should probably disable sharing while you do it,
or perhaps ask your ISP to block the SMB ports.

-- 
Erik Corry ec at sign-tronic.dk - I do not speak for Sign-Tronic A/S

More information about the samba mailing list