COMMAND

    SMB

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Brian Rectanus  and Marc  DeBonis have  seemed to  discover a very
    nasty  DoS  attack  against  the  RPC/Services  service  in NT 4.0
    Server.   They tried  it successfully  against NT  Server 4.0  SP3
    and NT  Server EE  SP5 systems.   All that  is needed  is that the
    Guest  account  be  enabled  on  the  victim server and the victim
    server be  sharing at  least one  share (Guest  doesn't even  need
    access to the share).   Using the Samba 2.0.5  package on a  Linux
    (debian) platform, we  run "smbtorture //machine/share  RANDOMIPC"
    against the available share on  the victim machine.  Very  quickly
    (less than 3  seconds later) the  victim receives a  Doctor Watson
    on  their  console  saying  an  access  violation  has occurred in
    services.exe.

    Trying to  bring up  event viewer  times out  with the  error "RPC
    server is too  busy".  The  service workstation and  server become
    unresponsive and no other shares  are accessible.  Trying to  stop
    and restart  RPCSS.EXE does  not work.   Attempting a  shutdown or
    restart of  the machine  does not  seem to  work either  (it hangs
    before  shutdown).   If  you  hard  reset  the machine you may see
    events in the System log  from Srv event 2006 "the  server receive
    an incorrectly formatted request  from \\attacker", but again  you
    may not.

    What happens is that the very first time an smbd process  connects
    to  the  PDC  it  will   make  an  attempted  connection  with   a
    deliberately bad password.  The response under these circumstances
    from certain versions of NT 4.0 is to ACCEPT the connection,  with
    guest priveleges.   Samba detects this  and reports it  in the log
    files at its maximum  possible reporting level for  administrators
    to  pick  up  and  then  deal  with  the  NT  PDC  as appropriate.
    Following the  detection (which  is only  done once),  the user is
    then validated with  the same function  call, cli_session_setup(),
    but this time with  the correct user password.   The code used  in
    smbd/password.c:server_validate()  to  probe   for  broken   guest
    behaviour  is  cli_session_setup(),  which  is  exactly  the  same
    function that is used  in smbtorture to validate  user connection.
    However, smbtorture  does not  use cli_session_setup()  to do this
    "broken guest" test.

    If you send enough random IPC$ smbtrans requests (of the order  of
    10^6) on an  anonymous IPC$ connection,  the same symptoms  occur.
    The higher the privilege level, the more random IPC$ requests  are
    accepted for processing (i.e not rejected with ACCESS_DENIED)  and
    the greater the chances of crashing the server.

SOLUTION

    To improve NT network security, block all SMB access at  firewall,
    which must be port 139 for nt 4.0 and below and port 139 AND  port
    445 for NT 5.0.