No information is available for this file.
dd2c373b02c22ee1905e1ce97747b485c9f7cdce0b925a1f83d73e1c73bb3296
<HTML>
<BODY>
<B>File Sharing: Unknown Dangers on your network.</B>
<P>
In Windows NT/95 OS and what it offers in its networking capabilities, there are some security issues that people should know.
<P>
You can quickly scan a network, identify any win95/NT machine,
grab a list of the resources available through the machine, and
attempt to access those resources. Once gained access to a file
shared resource, we attempt to see if the ".." bug exists.
There is also the users on the machine itself that as we scan,
we send a message to each user that they have been scanned.
<P>
Some of the problems with Win95/NT/WfWg is the same problem that
exists in almost every configurable device on the network, is
that the users have not configured it securely. We have found
most people who set up sharable directories have left them passwordless.
This allows any intruder on the Internet to steal files
and possible modify them/delete them.
<P>
The password mechanism on these systems has many flaws.
It is easy to write a program that does automated password checking.
Here is the choice of possible passwords we try:
<UL>
<LI>Typical user passwords such as WORKGROUP, WINDOWS, USER, ADMIN, etc...
<LI>Passwords derived from the list of resources and users logged
in.
<LI>Passwords attempted from a dictionary file supplied by the
administrator or any standard dictionary.
</UL>
<P>
As you are well aware of, that even when a password is used, the
chance of finding a easily guessible password is quite high.
With the scans we have done, we are doing the brute force attack
at about 200 passwords/second. We do about 18,000 passwords attempts
in under 2 minutes.
<P>
Windows 95 has no control of locking out further access attempts
so the intruder can endlessly pound away on your machines.
<P>
Windows 95 has no logging of any of these attempts. An intruder
can not only try quite a large number of passwords in a short
period of time, there is no log of these attempts. Knowing someone
is attempting to attack is as important as fixing the problems
themselves.
<P>
Once the scan accesses a file shared directory, it attempts to
determine if the machine is vulnerable to the ".." bug.
This bug allows intruders to access the rest of the hard drive,
even though the machine is configured to only allow access to
a certian directory.
<P>
The bug is effective because the OS does not properly check for
"..", "...", and "..\" which would
give you access to directories above the directory file shared.
This same type of bug is found on older NFS implementations on
Unix.
<p>
The file sharing service if available and accessible by anyone can crash the
NT 3.51 machine by using the dot..dot bug and require it to be rebooted.
This technique on a Windows 95 machine potentially allows anyone to gain
access to the whole hard drive. This vulnerability is documented in
Microsoft Knowledge Base article number Q140818 last revision dated March
15, 1996. Resolution is to install the latest service pack for Windows NT
version 3.51. The latest service pack to have the patch is in service pack
4.
<P>
It is easy for a network scanner to send a message through the popup program
to let the users know they were scanned. The problem with this
message utility is that the popup program lacks any authentication, therefore
an intruder could masquarade as the administrator and tell everyone
to make their directories sharable because he/she needs access
to it. It would not be the first time a user fell prey to this
type of attack.
<P>
Here are some future improvements in security for the resource
sharable file system (some of these features are on NT, but
not available on Win95):
<UL>
<LI>better logging of bruteforce attempts
<LI>put a delay in there after each bad password attempt to slow
down brute force attacks
<LI>possibly locking out file sharing attempts after X number
of tries
<LI>allow/deny capabilities based on host addresses
<LI>better authentication of popup messages
</UL>
<P>
User education needs to take place to ensure proper configuration.
Here are some essential procedures to follow to have a more secure
network:
<UL>
<LI>users need to password protect all resources
<LI>users must pick difficult to guess passwords
<LI>users should never give others access or passwords to their
systems unless it is through an authenticated process
<LI>users should install the security patches provided by vendors
</UL>
<P>
Firewalls:
<P>
The SMB protocol, which file sharing takes place, is on udp/tcp
ports 137, 138, and 139. Make sure your firewalls/routers block
these ports.
<HR NOSHADE>
</html>