kirk johnson
2002-Nov-19 05:05 UTC
[Samba] IPC$ share accessible with arbitrary usernames/passwords
MM = M Maki (1 Oct 2002)
AB = Andrew Bartlett (2 Oct 2002)
MM > I have a couple of Samba (2.0.7 & 2.2.0) servers I scanned with
> Nessus and they reported a security hole of "Possible to login
> to the remote host using a NULL session" I have a couple of NT
> servers I disabled with a registry edit. Is there a way to
> prevent this on the Samba servers or is it evan a valid issue?
AB > Samba HEAD starts to add some of this, but the manpage is
> compleatly inaccurate...
>
> Set 'restrict anonymous = 1' should get you the start.
>
> I'm looking into how to best implement 'restrict anonymous =
2'.
>
> In the meantime, if you set 'auth methods = sam' (for
standalone
> servers) then it will skip the 'guest' module, and deny all
> anonymous connections. However, this will break browsing and
> other services.
i have the same basic question -- i'm running samba 2.0.6 on some
linux boxes, and nessus complains about several "Risk factor: High"
bugs that all seem to boil down to the fact that IPC$ can be accessed
with any username and password.
i tried both the 'restrict anonymous = 1' and 'auth methods =
sam'
tweaks suggested by andrew, but neither seems to make a difference --
smbclient can still connect to \\targethost\IPC$ using arbitrary
usernames and passwords.
i'm also unclear (both from my own lack of windows/samba knowledge and
from andrew's answer, quoted above) whether or not the ability to
access IPC$ using arbitrary usernames/passwords is actually a security
issue with samba/linux, or if this is perhaps only an issue for
genuine microsoft SMB implementations?
i've searched far and wide on th' net trying to find more information
about this, but other than the two e-mail messages quoted above, have
pretty much failed miserably.
any further information on this subject (e.g., whether or not IPC$
being exposed in this way is actually a security risk, possible
workarounds, including upgrading to newer versions of samba, etc.)
that folks might be able to provide would be much appreciated.
thanks in advance,
kirk
Andrew Bartlett
2002-Nov-19 07:50 UTC
[Samba] IPC$ share accessible with arbitrary usernames/passwords
On Tue, 2002-11-19 at 16:05, kirk johnson wrote:> > MM = M Maki (1 Oct 2002) > AB = Andrew Bartlett (2 Oct 2002) > > MM > I have a couple of Samba (2.0.7 & 2.2.0) servers I scanned with > > Nessus and they reported a security hole of "Possible to login > > to the remote host using a NULL session" I have a couple of NT > > servers I disabled with a registry edit. Is there a way to > > prevent this on the Samba servers or is it evan a valid issue? > > AB > Samba HEAD starts to add some of this, but the manpage is > > compleatly inaccurate... > > > > Set 'restrict anonymous = 1' should get you the start. > > > > I'm looking into how to best implement 'restrict anonymous = 2'. > > > > In the meantime, if you set 'auth methods = sam' (for standalone > > servers) then it will skip the 'guest' module, and deny all > > anonymous connections. However, this will break browsing and > > other services. > > i have the same basic question -- i'm running samba 2.0.6 on some > linux boxes, and nessus complains about several "Risk factor: High" > bugs that all seem to boil down to the fact that IPC$ can be accessed > with any username and password. > > i tried both the 'restrict anonymous = 1' and 'auth methods = sam' > tweaks suggested by andrew, but neither seems to make a difference -- > smbclient can still connect to \\targethost\IPC$ using arbitrary > usernames and passwords.Both options are only in Samba 3.0. Run 'testparm', before you wonder why an option doesn't work.> i'm also unclear (both from my own lack of windows/samba knowledge and > from andrew's answer, quoted above) whether or not the ability to > access IPC$ using arbitrary usernames/passwords is actually a security > issue with samba/linux, or if this is perhaps only an issue for > genuine microsoft SMB implementations?It's an information leak - an unauthenticated user can find out a list of all users. Interestingly, much of this information can be inferred from other calls that are not controlled by 'restrict anonymous = 1'.> i've searched far and wide on th' net trying to find more information > about this, but other than the two e-mail messages quoted above, have > pretty much failed miserably. > > any further information on this subject (e.g., whether or not IPC$ > being exposed in this way is actually a security risk, possible > workarounds, including upgrading to newer versions of samba, etc.) > that folks might be able to provide would be much appreciated.Samba 3.0 implements 'restrict anonymous = 1'. I'm about to add 'restrict anonymous = 2' support. (Which locks down all guest access to IPC$, but breaks lots of things, like PDC and browse mater support). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20021119/a66b733e/attachment.bin