OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: NT Domain DoS and Security Exploit with SAMBA Server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NT Domain DoS and Security Exploit with SAMBA Server

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: NT Domain DoS and Security Exploit with SAMBA Server
  • From: Gerald Carter <cartegwEng.Auburn.EDU>
  • Date: Tue, 2 Mar 1999 22:42:15 -0600
  • Approved-By: Russ.CooperRC.ON.CA
  • Comments: To: Paul L Schmehl <paulsUTDALLAS.EDU>
  • Organization: Auburn University
  • References: <1269988670.920392990pc2738.utdallas.edu>
  • Reply-To: jerryEng.Auburn.EDU
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Paul L Schmehl wrote:
>
> security=server
> password server=[hostname of PDC]
> domain controller=[hostname of PDC]

This is a boolean parameter in the current code (and obselete
I might add)

> domain logons=yes
>
> domain logons will fail if the PDC is rebooted while the
> SAMBA server is still running.  We haven't yet determined
> *why* this is happening, but we can tell you *what* is
> happening

If you set the workgroup to be the same as the domain of
the NT PDC you are referring to, Samba will attempt to
register the workgroup<1b> record (due to domain logons being
enabled). Windows clients use this to locate the DC for their
workgroup

> database, but it *does* appear in Server Manager, and
> reports itself as a Windows NT 4.2 Server.  After some period
> of time (which appears to be random, but less than 24 hours)
> it begins to report itself as a BDC (Windows NT 4.2 Backup.)

The annouce as in Samba 2.0.3 allows you to advertise as a
workstation although the default is still to advertise as a
Server.

The moral is to not enable domain logons if you have an
existing DC.  You don't try to run to PDC's concurrently.
Same here

> Microsoft's Security Response team has looked at this
> issue and determined that it cannot be addressed in NT 4.0
> due to the insecure nature of WINS and NTLM.

correct.  The problem is the dynamic nature in which NetBIOS
names are registered and released.  It is insecure.

> We then wrote a program spoofing the Windows Logon
> screen, popped up an error message that essentially said
> "your logon had failed, please reenter your username/password"
> and were able to get users to enter their username/password
> combo into our program, which wrote them to a text file
> on the SAMBA server.

Don't get this.  So you wrote a mimic program. Not sure how
this relates.  Could do this without Samba.

Again, just to clarify,

* why are you trying to bring up to DC's (Samba and NT)?

* Assuming that you a meaning that anyone on the network
  can do this, I agree it can disrupt service, but is not
  specific to Samba.  Imagine this scenario,

    - I install a Windows NT Server as a PDC off the
      network in your domain.
    - Then I connect it to the network.
    - it will also attempt to take over, right?

What's the difference?  The problem appears to be
netbios name resolutions and regostration and not
Samba.  Aplogies if I misunderstood you post.




Comments and corrections always welcome.
jerry carter
________________________________________________________________________
                            Gerald ( Jerry ) Carter
Engineering Network Services                           Auburn University
jerryeng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )