COMMAND

    smbmount

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Vytautas Vysniauskas informed that  there exists very serious  bug
    NT 4.0 server. A user who is granted r/o access to any point of  a
    failsystem can easily crash NT 4.0 server.

    Client user (who is granted r/o access) resides on Linux box  with
    root priviledges. Client mounts NT server disk as follows

        linux# smbmount //ntserver/service /mnt -U client_name

    "df" shows mounted volume like

        //ntserver/service            530176  458224    71952     86% /mnt

    Now when you try to list the volume with

        ls /mnt

    the  command  hangs  (but  is  possible  to  kill the process from
    another root shell).   NT server switches  to blue console  screen
    and crashes immediately showing diagnostic message

    *** STOP 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x8012C28A)
    IRQL_NOT_LESS_OR_EQUAL

    NOTE: to exploit this situation you must have incorrectly  working
    smbmount utility:

    Linux version 2.0.25
    smbmount  utility  from  smbfs-2.0.1.tgz  package  (available   at
    ftp.gwdg.de/pub/linux/misc/smbfs or
    sunsite.unc.edu/pub/Linux/filesystems/smbfs).

    This package requires at least Linux version  2.0.28 and  contains
    fixes of a standard smbfs module.  So, it is not expected to  work
    correctly  with  2.0.25  version.   However,  smbmount  crashes NT
    server completely...

    This situation was tested on  NT 4.0 server and NT  4.0 worstation
    platforms upgraded with the following patches:

    Windows NT version 4.0, build 1381, Service Pack 2

    Q135707Q141239NTOSKRNLFIX was installed on Feb 23, 1997 at 16:41:21.
    Q163213 TCPIP DRIVER UPDATE was installed on Feb 23, 1997 at 16:41:47.
    Q163333SERIALFIX was installed on Mar 03, 1997 at 21:43:42.
    RPC SERVER CPU USAGE FIX was installed on Feb 23, 1997 at 16:41:33.

    always ending up with strictly the same system crash.

    Note that NT server hardware configuration was:

        P5/133x2, 64Mb RAM, 3c595 PCI, Buslogic Flash Point SCSI  disk
        controller

    and NT workstation hardware configuration:

        P5/133, 32Mb RAM, 3c509 ISA, EIDE disk controller

    NT system crash was  caused by incompatible version  of "smbmount"
    utility  used  to   mount  NT  system   disk  (granted  with   r/o
    privileges) from  a Linux  client system.  "Incompatibility" means
    that this  utility was  compiled on  a newer  Linux kernel version
    but used with an older Linux system.

    David LeBlanc  noticed that  the problem  is _not_  dependent upon
    read-only permissions.  He  has reproduced this with  full control
    permissions,  too.   At  this  point,  if  someone has the correct
    version of  smbmount and  the correct  Linux kernel,  and they can
    attach to your share, they can crash any NT 4.0 machine.

SOLUTION

    Smbmount/smbumount  works  just  fine  with  Linux  2.0.29  client
    (installation of smbfs-2.0.1 package patches smbfs kernel  module,
    so it  must be  done before  2.0.29 kernel  is compiled). Compiled
    binaries (smbmount/smbumount) are available at:

        ftp://puni.osf.lt/pub/windows/ntmount.tgz

    Use  it  at  your  risk.  It  should  work  correctly  with 2.0.29
    (patched) kernel version, but  produces NT system crash  when used
    with 2.0.25 Linux system.

    NT 3.51 appears to be immune - the broken samba mount can't  mount
    them.