More than privacy at stake

[InfoSec News <isn () C4I ORG>]

Forwarded By: security curmudgeon <jericho () attrition org>

http://www2.itworld.com/cma/ett_article_frame/0,,1_3086.html

Rik Farrow, ITworld.com
October 17, 2000

On the surface, Microsoft Security Bulletin MS00-072 appears pretty
benign. In the related FAQ, the bug is described as a privacy
compromise -- "a scenario in which a malicious user is able to gain
access to personal or confidential information about another user."

Unfortunately, the issue goes deeper than that. This bug permits any
Microsoft Windows 95, 98, or Me system to be completely compromised,
depending on whether the targeted system is set up for file sharing
and is not part of a Windows NT domain.

Windows's file-and-print-sharing service permits a user to share
resources on his or her computer, with password protection. If the
shared directory is carefully chosen -- for example, if the user
creates a directory for data files named C:\shared -- then the problem
is indeed nothing more than a privacy compromise. But if the user
selects C:\ or the directory where Windows and other applications are
stored, the system is open to complete compromise. The attacker can
read and replace any files found on the shared volume. The attacker
could also delete everything, but such behavior is hardly subtle (and
might be mistaken for Windows crashing).

The exploit was discovered by Nsfocus, a Chinese network security
company, and published to the Web on Oct. 10. Its page contains a
small example of code that takes advantage of the security flaw. It's
an addition to the Samba client software found on Linux and many Unix
systems. The modified code tells the victim's system that it is
sending a password of only one character, and adds a simple loop that
tries values from 1 to 255 as the first character of the password.
Unbelievably, Windows falls for this chicanery. In other words, no
matter how many characters you have in you password, one will be
enough to grant the attacker access to your file share.

While the exploit itself does not take control of a Windows system, it
provides a mechanism to do so. Similar methods have been used to
exploit thousands of systems as part of installing
distributed-denial-of-service tools. That is, a scanner checks tens of
thousands of IP addresses in search of a particular open port. The
results are then used in a script that tries the same exploit against
each target. The success rate is low, but the number of addresses
tried makes up for that.

Weld Pond of @stake said, "We are going to see a new wave of
Trojan-type attacks, as everyone sharing their hard drives writeable
on the Internet with passwords in now vulnerable. This is an
absolutely horrible problem."

Windows systems that use NT Domain authentication and only share files
to specific users are not affected by this vulnerability; neither are
Windows NT and 2000 users. Target systems behind firewalls that block
incoming connections will not fall prey to this exploit either (unless
the attacker is coming from the internal network).

Microsoft has issued a patch for the problem, so sending a single
character of the password is no longer sufficient to connect to
Windows file sharing. I suggest you install it on any clients doing
peer-to-peer file sharing.

I have done some scanning for open file shares in the past, and have
found lots of systems that have enabled file sharing. File sharing
works well in an environment like a small office, in which you want to
share data with people close to you and you lack a central server.
File sharing is also common on home networks where there are two or
more systems. Either way, it makes sense to immediately patch any
Windows system that uses file sharing, and to use firewalls, even home
versions, to block attacks like this one.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".