Bugtraq mailing list archives
Fatal bug in NT 4.0 server
From: vytasvy () OSF LT (Vytautas Vysniauskas)
Date: Wed, 2 Apr 1997 14:37:33 +0300
Hi, There exists very serious bug NT 4.0 server. A user who is granted r/o access to any point of a failsystem can easily crash NT 4.0 server. EXPLOIT: Client user (who is granted r/o access) resides on Linux box with root priviledges. Client mounts NT server disk as follows linux# smbmount //ntserver/service /mnt -U client_name "df" shows mounted volume like //ntserver/service 530176 458224 71952 86% /mnt Now when you try to list the volume with ls /mnt the command hangs (but is possible to kill the process from another root shell). NT server switches to blue console screen and crashes immediately showing diagnostic message *** STOP 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x8012C28A) IRQL_NOT_LESS_OR_EQUAL ---- *** NOTE: to exploit this situation you must have incorrectly working smbmount utility: Linux version 2.0.25 smbmount utility from smbfs-2.0.1.tgz package (available at ftp.gwdg.de /pub/linux/misc/smbfs or sunsite.unc.edu /pub/Linux/filesystems/smbfs ) This package requires at least Linux version 2.0.28 and contains fixes of a standard smbfs module. So, it is not expected to work correctly with 2.0.25 version. However, smbmount crashes NT server completely... The situation was tested several times on two NT 4.0 servers, always ending up with strictly the same system crash. It would be interesting to see does somebody else can reproduce this result ? QUESTION: Additionally, I would like to ask: It is known about big hole in NT 4.0 security system that allows for a user without any access permission to mount NT server root directory (disk C:) in r/w mode and to take a complete control over NT system ? I heard only some little comments but haven't seen a demonstration and/or description of this vulnerability. It makes very big doubt about usability of NT 4.0 system. Maybe, it is time to switch to Unix/Samba platform ? ======================================================== Vytautas Vysniauskas e-mail: vytasvy () osf lt tel: +370-2-611408 UNIX systems administrator Open Society Fund of Lithuania ========================================================
Current thread:
- Fatal bug in NT 4.0 server Vytautas Vysniauskas (Apr 02)
- Re: Fatal bug in NT 4.0 server Yiorgos Adamopoulos (Apr 07)