Tutorial - Open SMB Shares

Open SMB Shares

CAN 1999-0520

Summary

Malicious users exploiting this vulnerability may be able to read and/or write information to shared directories.

Impact

On Windows (95, 98, NT), OS/2 and Linux machines (running SAMBA), malicious users may be able to gain access to world-viewable, or open, shared directories. Once access has been gained, a hacker might be able to read any information found in the directory. A malicious user may also be able to write information to the open directory. As a result, sensitive information may be compromised and important system files may be deleted or modified. Also, trojan horse programs may be placed on a compromised directory and then inadvertently run by genuine users, causing damage to the target system. The amount of damage that could be done by a hacker exploiting this vulnerability is only limited by the hacker's imagination and by the importance of the files/ information found in the compromised directory.

Background

A little background may help users understand this vulnerability a bit better. This vulnerability is identical to the Unrestricted NFS Access vulnerability. As anyone who has used a Windows or OS/2 product knows, both Windows (3.11/95/98/NT) and OS/2 allows for sharing system resources. In particular, information on one machine may be made accessible to other users by sharing the directory in which the information resides. Shared file systems act as drives and look, for all practical purposes, like file systems local to a user's machine (local drives). Unfortunately, once a directory has been shared, the share may be visible via the Internet. It is important to note that this vulnerability also is present in Linux machines running SAMBA (a UNIX based Windows LAN manager). As an aside, Microsoft has used SMB as its main networked file system protocol since Windows NT 3.5.

The common link between Windows, OS/2 and SAMBA is a file sharing protocol named Server Message Block, or SMB. The SMB protocol provides a method for client applications on a computer to read and write to files on, and to request services from, servers in a computer network, and is the Windows equivalent to Sun's NFS, or Network File System. SMB can be used over the Internet (in conjunction with the TCP/IP protocol) as well as the local network (in conjunction with the IPX and the NetBEUI/ NetBIOS protocols).

The Problem

The valuable service that the SMB protocol provides, remote resource sharing via the Internet, is also the source of the vulnerability. As with any service available via the Internet, there is a risk that an unauthorized user will be able to access it. This means, of course, that unauthorized users may be able to view, modify or even delete any files (data) found in the shared directories.

Resolution

For machines running Windows NT, the resolution to this vulnerability is to disable SMB over the Internet. This service may be disabled by accessing it through the Network Properties dialog boxes in the Control Panel.

For those who find this resolution impractical (or not applicable), the key to minimizing the inherent risks associated with using shared resources via the Internet is to have a thorough understanding of the security measures that must be implemented when setting up the shares. For instance, when creating shared resources on a Windows 95/98 machine, use User Level Access instead of Share Level Access controls. User Level Access asks a user for a username and password before allowing access to the resource in question, where as Share Level Access allows anyone with access to the network to use shared resources. When creating shared resources on an Windows NT machine, it is important to assign rights to users of shared directories judiciously. For example, the default setting for any shared directory created on an NT system is for everyone to have full control of the data contained therein (meaning, of course, that all users on the network will be able to view, modify or delete data found in the shared directory). It is up to the creator of the shared directory (usually the administrator) to choose which users have access and what level of access they should have. Understanding and mastering Windows NT and OS/2 file and directory level security can be a difficult task, but is certainly one well worth undertaking. As with many security issues, the best defense against this vulnerability is knowledge.

Other tips

There are perhaps hundreds of books dedicated to OS/2, Windows NT/98/95/3.11 and Linux SAMBA security issues. While no one book will be recommended here, chances are that a colleague will have a few suggestions, as well might the many World Wide Web sites dedicated to security issues (see below).

Where can I read more about this?

To view a listing of sites dedicated to Windows NT security, and listings and reviews of security related books, visit the NTSecurity page. Other good sites dealing with NT Security include Microsoft's Security Advisor and Microsoft's Windows NT Security Site. To learn about Windows 95/98 security issues, as well as to find some nice security related publications and shareware/freeware, visit Windows95. A good site that contains information on all Windows operating systems is Windows Magazine's Windows Information site. OS/2 security information can be found in many of the newsgroups and web sites dedicated to OS/2 issues. Visit OS/2 WWW Homepage for a comprehensive listing of OS/2 web sites, usergroups, newsgroups and OS/2 related tips and information.

Information detailing how to configure SMB on Linux machines can be found at David Wood's SMB How To page. For detailed technical information on the SMB protocol, and its proposed successor (the CIFS protocol), visit the Microsoft SMB/CIFS Developer FTP site. And, for even more detailed technical information on SMB and resource sharing, read the Windows NT Blackpaper.