Information Security News mailing list archives
More than privacy at stake
From: InfoSec News <isn () C4I ORG>
Date: Thu, 19 Oct 2000 04:08:54 -0500
Forwarded By: security curmudgeon <jericho () attrition org> http://www2.itworld.com/cma/ett_article_frame/0,,1_3086.html Rik Farrow, ITworld.com October 17, 2000 On the surface, Microsoft Security Bulletin MS00-072 appears pretty benign. In the related FAQ, the bug is described as a privacy compromise -- "a scenario in which a malicious user is able to gain access to personal or confidential information about another user." Unfortunately, the issue goes deeper than that. This bug permits any Microsoft Windows 95, 98, or Me system to be completely compromised, depending on whether the targeted system is set up for file sharing and is not part of a Windows NT domain. Windows's file-and-print-sharing service permits a user to share resources on his or her computer, with password protection. If the shared directory is carefully chosen -- for example, if the user creates a directory for data files named C:\shared -- then the problem is indeed nothing more than a privacy compromise. But if the user selects C:\ or the directory where Windows and other applications are stored, the system is open to complete compromise. The attacker can read and replace any files found on the shared volume. The attacker could also delete everything, but such behavior is hardly subtle (and might be mistaken for Windows crashing). The exploit was discovered by Nsfocus, a Chinese network security company, and published to the Web on Oct. 10. Its page contains a small example of code that takes advantage of the security flaw. It's an addition to the Samba client software found on Linux and many Unix systems. The modified code tells the victim's system that it is sending a password of only one character, and adds a simple loop that tries values from 1 to 255 as the first character of the password. Unbelievably, Windows falls for this chicanery. In other words, no matter how many characters you have in you password, one will be enough to grant the attacker access to your file share. While the exploit itself does not take control of a Windows system, it provides a mechanism to do so. Similar methods have been used to exploit thousands of systems as part of installing distributed-denial-of-service tools. That is, a scanner checks tens of thousands of IP addresses in search of a particular open port. The results are then used in a script that tries the same exploit against each target. The success rate is low, but the number of addresses tried makes up for that. Weld Pond of @stake said, "We are going to see a new wave of Trojan-type attacks, as everyone sharing their hard drives writeable on the Internet with passwords in now vulnerable. This is an absolutely horrible problem." Windows systems that use NT Domain authentication and only share files to specific users are not affected by this vulnerability; neither are Windows NT and 2000 users. Target systems behind firewalls that block incoming connections will not fall prey to this exploit either (unless the attacker is coming from the internal network). Microsoft has issued a patch for the problem, so sending a single character of the password is no longer sufficient to connect to Windows file sharing. I suggest you install it on any clients doing peer-to-peer file sharing. I have done some scanning for open file shares in the past, and have found lots of systems that have enabled file sharing. File sharing works well in an environment like a small office, in which you want to share data with people close to you and you lack a central server. File sharing is also common on home networks where there are two or more systems. Either way, it makes sense to immediately patch any Windows system that uses file sharing, and to use firewalls, even home versions, to block attacks like this one. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- More than privacy at stake InfoSec News (Oct 19)