Security Incidents mailing list archives
Re: netbios vuln
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Dec 2002 22:36:51 +1300
I posted this question to the list 3 weeks ago but the moderator failed to act on my post and thus it was returned to me. I have been a ridicilious amount of netbios traffic at my main firewall.
Probably Opaserv...
This morning I read this article. It seems to hint at a way to run arbitarty code via netbios, ...
It hints that rather weakly. But note that Opaserv itself could be described, rather loosely, in those terms, so...
... now my question is does anyone know anything about this; ...
You have posted far too little information for anyone to contribute anything strongly meaningful. A report such as I have been ["seen"?] a ridicilious amount of netbios traffic at my main firewall. hardly counts as a useful data point. Perhaps there was a reason your initial post was dropped...
... is anyone seeing the netbios traffic and
I think you'll find lots of people are, though its probably tailing off somewagt now.
finally is it just the author of the article (who is not a security writer like a brian mcwillaims or a thomas greene) didnt really understand what was going on? This was from the securitynewsportal site.
There could be an element of that too...
A teenage hacker attacked an online chatroom run by The Edge radio
<<blah, blah, blah>>
... The teenager claims to have written a trojan program called "FB3" with a friend known online as "lynx". The program exploits a "Netbios" vulnerability in Windows PCs related to file and print sharing, to plant itself on unsuspecting users' computers.
This is, as I said above, a sufficiently loose decription of how Opaserv works. It scans the IP address space looking for machines apparently running SMB over TCP/IP then tries faking the full one-character password space to "crack" Win9x/ME machines not patched against MS00-072. If it suceeds in connecting to the C: drive of such a machine, it then writes a copy of itself to the machine and a startup command in a system configuration file and starts all over again from that machine when it is next restarted. This is all enabled by a horrendous comedy of errors starting with a mind-numbingly stupid (in security terms) "feature" of the share- level password authentication scheme, the ease with which MS allows this "not really secure enough for physically secured networks anyway" to be enabled on a (by design) grossly insecure and largely unaudited public network such as the Internet, the default binding of network protocols and services on thoses OSes such that, by default, nearly every such machine with an Internet connection will be publicly exposing this vulnerability, teh default use of entirely predictable share names and installation directories, and so on...
The infected computers (bots - short for robots) signal their presence to a computer in the United States which the teenager uses to send out the instructions to attack. ...
And this is just a different payload to the basic Opaserv installation mechanism. In fact, it could even be easier than this. Thousands upon thousands of Windows machines on the Internet have publicly exposed shares _with no password at all_ exposing their system directories to whoever wishes to rape and/or plunder. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbios vuln ohnonono (Dec 08)
- Re: netbios vuln H C (Dec 09)
- Re: netbios vuln Valdis . Kletnieks (Dec 09)
- Re: netbios vuln Nick FitzGerald (Dec 09)
- <Possible follow-ups>
- Re: netbios vuln KoRe MeLtDoWn (Dec 09)