Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Fatal bug in NT 4.0 server

From: vytasvy () OSF LT (Vytautas Vysniauskas)
Date: Wed, 2 Apr 1997 14:37:33 +0300

Hi,

   There exists very serious bug NT 4.0 server. A user who is
   granted r/o access to any point of a failsystem can easily
   crash NT 4.0 server.


   EXPLOIT:

   Client user (who is granted r/o access) resides on Linux box
   with root priviledges. Client mounts NT server disk as follows

   linux# smbmount //ntserver/service /mnt -U client_name

   "df" shows mounted volume like

    //ntserver/service            530176  458224    71952     86%   /mnt

    Now when you try to list the volume with  ls /mnt
    the command hangs (but is possible to kill the process from
    another root shell).  NT server switches to blue console
    screen and crashes immediately showing diagnostic message

    *** STOP 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x8012C28A)
    IRQL_NOT_LESS_OR_EQUAL


----
***  NOTE: to exploit this situation you must have incorrectly
    working smbmount utility:

    Linux version 2.0.25
    smbmount utility from smbfs-2.0.1.tgz package
    (available at ftp.gwdg.de /pub/linux/misc/smbfs or
     sunsite.unc.edu /pub/Linux/filesystems/smbfs )

    This package requires at least Linux version  2.0.28
    and contains fixes of a standard smbfs module. So,
    it is not expected to work correctly with 2.0.25 version.
    However, smbmount crashes NT server completely...

    The situation was tested several times on two  NT 4.0 servers,
    always ending up with strictly the same system crash.

    It would be interesting to see does somebody else can reproduce
    this result ?


QUESTION:

    Additionally, I would like to ask:
    It is known about big hole in NT 4.0 security system
    that allows for a user without any access permission to mount NT
    server root directory (disk C:) in r/w mode and to take a
    complete control over NT system ? I heard only some little
    comments but haven't seen a demonstration and/or description
    of this vulnerability.

    It makes very big doubt about usability of NT 4.0 system.
    Maybe, it is time to switch to Unix/Samba platform ?

========================================================
Vytautas Vysniauskas       e-mail: vytasvy () osf lt
                              tel: +370-2-611408
UNIX systems administrator
Open Society Fund of Lithuania
========================================================
Previous By Date Next
Previous By Thread Next

Current thread: