Re: NT Domain DoS and Security Exploit with SAMBA Server
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: NT Domain DoS and Security Exploit with SAMBA Server
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: Re: NT Domain DoS and Security Exploit with SAMBA Server
- From: Paul L Schmehl <paulsUTDALLAS.EDU>
- Date: Wed, 3 Mar 1999 10:18:08 -0600
- Approved-By: Russ.CooperRC.ON.CA
- In-Reply-To: <36DCBDA7.E38FAA38eng.auburn.edu>
- Reply-To: Paul L Schmehl <paulsUTDALLAS.EDU>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Comments below.
--On Tuesday, March 02, 1999, 10:42 PM -0600 Gerald Carter
<cartegweng.auburn.edu> wrote:
[snip]
>
> The moral is to not enable domain logons if you have an
> existing DC. You don't try to run to PDC's concurrently.
> Same here
Of course. The problem is SAMBA doesn't exchange tokens with the other DCs
before becoming a member of the Domain Server Group. This isn't SAMBA's
fault, it's Microsoft's, for not having a secure method to register DCs.
Also, domain logons=yes is the default setting in the smb.conf file, so
this can be done completely without the knowledge of the individual setting
up SAMBA. This is apparently still true in SAMBA 2.0, because the server I
mentioned in my post took down the domain without the knowledge of the
admin who set it up.
>
[snip]
>
> Don't get this. So you wrote a mimic program. Not sure how
> this relates. Could do this without Samba.
How? You have to have something which is seen by clients as a DC with a
NETLOGON share before you can start processing logons. You can't do that
with an NT server without knowing the domain administrator password. You
can do it with SAMBA without any authentication at all.
>
> Again, just to clarify,
>
> * why are you trying to bring up to DC's (Samba and NT)?
We're not. They do that be default. And that's my point. *Anyone* in
your organization can bring up a SAMBA server and take down the domain
(under the right circumstances as posted.) This has already happened to us
twice, both times without the knowledge or approval of the IR department.
[snip]
>
> What's the difference? The problem appears to be
> netbios name resolutions and regostration and not
> Samba. Aplogies if I misunderstood you post.
I'm not blaming SAMBA. This is obviously a flaw in the fundamental design
of domain security, and Microsoft has acknowledged that. The only point of
SAMBA being involved is it makes the task much easier because there's no
authentication and token exchange required.
>
>
>
>
> Comments and corrections always welcome.
> jerry carter
> ________________________________________________________________________
> Gerald ( Jerry ) Carter
> Engineering Network Services Auburn University
> jerryeng.auburn.edu http://www.eng.auburn.edu/users/cartegw
>
> "...a hundred billion castaways looking for a home."
> - Sting "Message in a Bottle" ( 1979 )
