From benc@geocel.com Sat Sep 14 00:53:50 1996 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id AAA01941 for ; Sat, 14 Sep 1996 00:53:44 +1000 Received: from potassium.geocel.com (lithium.geocel.com [208.199.81.2]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id HAA29834 for ; Fri, 13 Sep 1996 07:11:46 -0700 (PDT) Received: from sodium.geocel.com ([208.199.81.111]) by potassium.geocel.com (8.7.5/8.7.5) with SMTP id JAA25500; Fri, 13 Sep 1996 09:09:27 -0500 (CDT) Message-Id: <2.2.32.19960913140207.00706fa0@lithium> X-Sender: benc@lithium X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Sep 1996 09:02:07 -0500 To: Bernd Lehle , BUGTRAQ@NETSPACE.ORG, best-of-security@suburbia.net From: Ben Camp Subject: Re: BoS: Attacks against NetBIOS via TCP/IP Well, there are a couple of issues that make this interesting. Windows NT by default binds Netbios to TCP/IP. So, if you do not have a domain controller that you use to govern your authentication then chances are very high that you are vulnerable. Samba makes a network probe of this type very simple. Since people assume there windows network to be a LAN thing, imagine this type of situation: ISP X has Machines A and B on the local ethernet. ------------------------------------------------- Machine A is a Windows 95 machine. Machine B is a Windows NT machine. Company Q has an ISDN PPP from ISP X from which they base their business. If either Machine A o Machine B have world writable volumes (this is not at all uncommon), then it is without any effort that anyone could do some nasty things to anyone (including Company Q). Say that someone connects to the Windows 95 machine (which has no access logging abilities). Then they go and write a program that sends HUGE icmp packets to the IP of the Router at Company Q. The ping flood off of the Ether would pound Company Q. So, how do you remotely execute programs on Windows 95? Well, if you wrote a program a little bit like this: ----- #include WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd ) { ShellExecute(NULL,"run","ping","-t -l 10000",NULL,SW_HIDE); } ----- And inserted it in ... "C:\Windows\Start Menu\Programs\StartUp" directory, then the next time someone logged into the machine it would start up. Even better you could run a batch file that then removed it from the startup group. And add a line to the autoexec to add it back in on bootup. The user (most any execpt someone looking for it) would never notice anything at all. Or, say that Machine A has a corporate database. Say that it has a password database (some places are dumb). The original thing that people were worried about was people cracking the .PWL files. With a command line mailer that supports attachments you could mail yourself things off the network drives. You could start services, run an FTP server that let you access all the network volumes. Lotsa neat stuff. THE FIX: Unbind NetBios from TCP/IP AND Filter ports 138/139 tcp and udp At 10:12 AM 9/13/96 +0200, Bernd Lehle wrote: >Hi there, > >after a talk with our PC/Intel guy at the Computer Center about what's >goig on right now with the PCs in our network I came to the following >alarming idea: > >In TCP/IP dominated networking environments like universities there is >an increasing number of PCs running Windows (3.11/95/NT) with NetBIOS >Services like sharing drives and printers. >Normally NetBIOS (OSI-Layer 5) is transported via NETBEUI (OSI-Layer 3/4) >which is a LAN-only protocol, that cannot be routed. > >However, there is also the possibility of encapsulating the NetBIOS ser- >vices in TCP/IP which then can be routed through a Campus LAN or out >into the Internet. > >Maybe due to it's history as a LAN protocol, NetBIOS over TCP/IP commu- >nicates almost entirely with broadcasts (IP and Ethernet). This has been >verified with a sniffer. So security does not seem to be an issue. > >So it should be easy for someone who knows the odds and ends of NetBIOS >to either modify the TCP/IP stack of Windows, so it tries to send NetBIOS >requests through TCP/IP specifically to remote machines, or use a UNIX >Box (e.g. Linux) with NetBIOS related services (Samba) to launch an attack >against a remote Windows box. > >It does not seem to be very tempting to hack a Windows PC, but on the >shared disks of Windows PCs in University offices there is often im- >portant data like grades or similar. > >Does anybody have experience with problems, attacks or defences for this >kind of setup ? > >We're trying to consider this problem in detail soon, but first we have >to arrange a meeting with the PC guys and the (heavily UNIX-inclined) >security guys :-) > >-- >> Bernd Lehle - Stuttgart University Computer Center * A supercomputer < >> Visualization / Security / Astrophysics * is a machine < >> lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < >> http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < >> pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < > > >