<HTML>



<BODY>



<B>File Sharing: Unknown Dangers on your network.</B>



<P>



In Windows NT/95 OS and what it offers in its networking capabilities, there are some security issues that people should know.



<P>



You can quickly scan a network, identify any win95/NT machine,



grab a list of the resources available through the machine, and



attempt to access those resources. Once gained access to a file



shared resource, we attempt to see if the ".." bug exists.



 There is also the users on the machine itself that as we scan,



we send a message to each user that they have been scanned.



<P>



Some of the problems with Win95/NT/WfWg is the same problem that



exists in almost every configurable device on the network, is



that the users have not configured it securely.  We have found



most people who set up sharable directories have left them passwordless.



 This allows any intruder on the Internet to steal files



and possible modify them/delete them. 



<P>



The password mechanism on these systems has many flaws. 



It is easy to write a program that does automated password checking.



Here is the choice of possible passwords we try: 



<UL>



<LI>Typical user passwords such as WORKGROUP, WINDOWS, USER, ADMIN, etc...



<LI>Passwords derived from the list of resources and users logged



in.



<LI>Passwords attempted from a dictionary file supplied by the



administrator or any standard dictionary.



</UL>







<P>



As you are well aware of, that even when a password is used, the



chance of finding a easily guessible password is quite high. 



With the scans we have done, we are doing the brute force attack



at about 200 passwords/second. We do about 18,000 passwords attempts



in under 2 minutes.  



<P>



Windows 95 has no control of locking out further access attempts



so the intruder can endlessly pound away on your machines. 



<P>



Windows 95 has no logging of any of these attempts.  An intruder



can not only try quite a large number of passwords in a short



period of time, there is no log of these attempts.  Knowing someone



is attempting to attack is as important as fixing the problems



themselves.



<P>



Once the scan accesses a file shared directory, it attempts to



determine if the machine is vulnerable to the ".." bug.



 This bug allows intruders to access the rest of the hard drive,



even though the machine is configured to only allow access to



a certian directory. 



<P>



The bug is effective because the OS does not properly check for



"..", "...", and "..\" which would



give you access to directories above the directory file shared.



 This same type of bug is found on older NFS implementations on



Unix. 



<p>



The file sharing service if available and accessible by anyone can crash the



NT 3.51 machine by using the dot..dot bug and require it to be rebooted.



This technique on a Windows 95 machine potentially allows anyone to gain



access to the whole hard drive. This vulnerability is documented in



Microsoft Knowledge Base article number Q140818 last revision dated March



15, 1996. Resolution is to install the latest service pack for Windows NT



version 3.51. The latest service pack to have the patch is in service pack



4.











<P>



It is easy for a network scanner to send a message through the popup program



to let the users know they were scanned.  The problem with this



message utility is that the popup program lacks any authentication, therefore



an intruder could masquarade as the administrator and tell everyone



to make their directories sharable because he/she needs access



to it.  It would not be the first time a user fell prey to this



type of attack. 



<P>



Here are some future improvements in security for the resource



sharable file system (some of these features are on NT, but



not available on Win95):



<UL>



<LI>better logging of bruteforce attempts



<LI>put a delay in there after each bad password attempt to slow



down brute force attacks



<LI>possibly locking out file sharing attempts after X number



of tries



<LI>allow/deny capabilities based on host addresses



<LI>better authentication of popup messages



</UL>







<P>



User education needs to take place to ensure proper configuration.



 Here are some essential procedures to follow to have a more secure



network:



<UL>



<LI>users need to password protect all resources



<LI>users must pick difficult to guess passwords



<LI>users should never give others access or passwords to their



systems unless it is through an authenticated process



<LI>users should install the security patches provided by vendors



</UL>







<P>



Firewalls:



<P>



The SMB protocol, which file sharing takes place, is on udp/tcp



ports 137, 138, and 139.  Make sure your firewalls/routers block



these ports.



<HR NOSHADE>







</html>