Open SMB Shares
CAN 1999-0520
Summary
Malicious users exploiting this vulnerability may be able to read and/or write information to
shared directories.
Impact
On Windows (95, 98, NT), OS/2 and Linux machines
(running
SAMBA), malicious users may be able to gain access
to world-viewable, or open, shared directories. Once access has been gained, a hacker might be
able to read any information found in the directory. A malicious user may also be able to
write information to the open directory. As a result, sensitive information may be compromised
and important system files may be deleted or modified. Also,
trojan horse programs may be placed on a
compromised directory and then inadvertently run by genuine users, causing damage to the target
system. The amount of damage that could be done by a hacker exploiting this vulnerability is
only limited by the hacker's imagination and by the importance of the files/
information found in the compromised directory.
Background
A little background may help users understand this vulnerability a bit better.
This vulnerability is identical to the Unrestricted NFS Access vulnerability.
As anyone who has used a Windows or OS/2 product knows, both Windows (3.11/95/98/NT) and OS/2
allows for sharing system resources. In particular, information on one machine may be made
accessible to other users by sharing the directory in which the information resides. Shared
file systems act as drives and look, for all practical purposes, like file systems local to a
user's machine (local drives). Unfortunately, once a directory has been shared, the share may
be visible via the Internet. It is important to note that this vulnerability also is present in
Linux machines running SAMBA (a UNIX based Windows LAN manager). As an aside, Microsoft has
used SMB as its main networked file system protocol since Windows NT 3.5.
The common link between Windows, OS/2 and SAMBA is a file sharing
protocol named
Server Message Block, or SMB.
The SMB protocol
provides a method for client applications on a
computer to read and write to files on, and to request services from, servers in a computer
network, and is the Windows equivalent to Sun's NFS, or Network File System.
SMB can be used
over the Internet (in conjunction with the
TCP/IP protocol) as well as the local network
(in conjunction with the IPX and the
NetBEUI/
NetBIOS protocols).
The Problem
The valuable service that the SMB protocol provides, remote resource sharing via the Internet,
is also the source of the vulnerability. As with any service available via the Internet, there
is a risk that an unauthorized user will be able to access it. This means, of course, that
unauthorized users may be able to view, modify or even delete any files (data) found in the
shared directories.
Resolution
For machines running Windows NT, the resolution to this vulnerability is to disable SMB
over the Internet. This service may be disabled by accessing it through the Network Properties
dialog boxes in the Control Panel.
For those who find this resolution impractical (or not applicable), the key to minimizing the inherent risks associated with using shared resources via the
Internet is to have a thorough understanding of the security measures that must be implemented
when setting up the shares. For instance, when creating shared resources on a Windows 95/98
machine, use User Level Access instead of Share Level Access controls. User Level Access asks a
user for a username and password before allowing access to the resource in question, where as
Share Level Access allows anyone with access to the network to use shared resources. When
creating shared resources on an Windows NT machine, it is important to assign rights to users of
shared directories judiciously. For example, the default setting for any shared
directory created on an NT system is for everyone to have full control of the data contained
therein (meaning, of course, that all users on the network will be able to view, modify or
delete data found in the shared directory). It is up to the creator of the shared directory
(usually the administrator) to choose which users have access and what level of access they
should have. Understanding and mastering Windows NT and OS/2 file and directory level security can be
a difficult task, but is certainly one well worth undertaking. As with many security issues,
the best defense against this vulnerability is knowledge.
Other tips
There are perhaps hundreds of books dedicated to OS/2, Windows NT/98/95/3.11 and Linux
SAMBA
security issues. While no one book will be recommended here, chances are that a colleague will
have a few suggestions, as well might the many World Wide Web sites dedicated to security
issues (see below).
Where can I read more about this?
To view a listing of sites dedicated to Windows NT security, and listings and reviews of
security related books, visit the
NTSecurity page. Other good sites
dealing with NT Security include Microsoft's
Security Advisor and Microsoft's
Windows NT Security Site. To learn about Windows 95/98 security issues, as well as to find
some nice security related publications and shareware/freeware, visit
Windows95. A good site that contains information on
all Windows operating systems is Windows Magazine's
Windows Information site. OS/2 security
information can be found in many of the newsgroups and web sites dedicated to OS/2 issues. Visit
OS/2 WWW Homepage for a comprehensive listing
of OS/2 web sites, usergroups, newsgroups and OS/2 related tips and information.
Information detailing how
to configure SMB on Linux machines can be found at David Wood's
SMB How To page. For detailed
technical information on the SMB protocol, and its proposed successor (the
CIFS protocol),
visit the Microsoft SMB/CIFS Developer
FTP site. And, for even more detailed technical information on SMB and
resource sharing, read the
Windows NT Blackpaper.