File and Printer Sharing Insecure in XP SP2

ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."

NAT for the masses

[alatesystems]

Please PLEASE if you have friends, family, or loved ones that are not behind a NAT router/box, please install one for them.

Not just for flaws like this, but for windows problems in general and basically so you don't have to worry about the win32 machines BEHIND the nat before you worry about the nat box itself.

Hint: ICS doesn't count as NAT IMHO.

Chris

Re:NAT for the masses

[LincolnQ]

I just got to college a couple weeks ago.

The school hands out external IP's to everyone! It's ridiculous. All these folks who drag their Windows laptops from home where they had a wireless router/NAT are now exposed on the open Internet.

The school tells them to patch, but it's too late -- the half-life of an unpatched Windows box on the open 'net is about six minutes.

Now, I brought two computers, Linux and Mac OS X, and I _STILL_ NAT them for security! (There are enough ports in my dorm room so that I wouldn't need to, but I do.)

I'm pretty much the only one who wants or needs an external IP. I serve web, ssh, and files. So I'm really happy. But all the Windows boxes on the network are crying.

Article is confusing (due to translation?)

[doorbot.com]

If I'm understanding it correctly, using the "Subnet" scope for your dialup connections actually allows access from the entire Internet. The article seems to argue that this "bug" is due to Windows ignoring certain settings when it deals with dialup connections. It doesn't say if the firewall code is flawed (and thus not properly calculating the "subnet" scope), or if there is some other DUN code which is overriding the firewall settings.

Re:Article is confusing (due to translation?)

[globalar]

It's not clear. RTFA though so here is what I gather.

According to the article...

Each network connection has it's own configuration settings. Regardless of the settings in this dialogue window, if a file/print sharing is enabled (this is an internal windows service, which can potentionally use any network connection), then it is enabled by default on all active network connections. There are some conditions to this actually.

The article does say this applies to all network connections (dialup, DSL, etc.), but it confuses the issue:

"The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN. Users of DSL services are also affected.... Additionally, Internet Connection Sharing of the PC has to be disabled."

So ICS cannot be running, but the machine has to be serving as a network gateway? All I can gather is that there must be two (or more) network interfaces (I assume active), one of which must be on a local subnet. The firewall is default on both connections in SP2, but file/print sharing is also default on both as long as it was enabled on one in a previous configuration.

A further problem the article mentions is that when ICS is running, the button to specify sharing on only the local subnet in the Windows firewall configuration works. When ICS is deactivated, this configuration change does not work and manual changes have to be made.

The firewall is passive in this process - that is it applies local configuration as default for all interfaces.

(Again, this is what the article says in so many words...)

This is just pure BS

I work at an OEM making bespoke Video Editing systems under XP. We are installing XP SP2 on all of our machines currently - these are machines that need VERY high performance in terms of both IO and actual OS-level resources.

Service Pack 2 has a couple of irritations, and does seem to make things a tad slower on a couple of configurations, but this is just pure BS - I have not seen a single instance where it has enable File & Print Sharing as default on a Dial-up connection - or even where it has had those ports unblocked in the (rudimentary) firewall as default.

Every one of our machines is different, I have NEVER encountered this problem on any of them.

If you're stupid enough to tick a box in the Network Connections settings and you have no idea what it does, then you deserve to be 0wned!

Pure FUD. It's not even good FUD.

A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight.

How many were XP SP2? We all know that many misconfigured 95/98 systems exist. These systems have been probed for over half a decade. Nothing is new.

It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection.

Misleading statement. Windows XP does not allow accounts with no password to be used with File and Printer Sharing.

Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter. At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

The default configuration does have an exception for File and Printer Sharing. However, the exception only covers the user's private home network; the internet will not have access to F&P Sharing.

With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

The sentence order is wrong. "All of your shared data" are not available on the internet. The password would first have to be guessed, which is resilient to attacks due to the lockout policy for entering too many invalid passwords.

After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?

It wasn't broken in the first place, idiot. This article is embarrassing for even the zealous MS basher.

Re:Cue Mortal Kombat voice over

[loqi]

Actually, it was from Killer Instinct (which also predated Q3A).

Alternate suggestion

Get them a mac.

Windows is the only OS in the world where an external NAT device is a "necessity".

Re:Firewalls don't belong on the desktop anyway.

[NutscrapeSucks]

It's also worth noting that most US broadband ISP block all Windows Filesharing traffic -- otherwise your network neighborhood becomes your real neighborhood. So this "issue" isn't likely to affect many users.

Re:Gives new meaning

[potnoodle]

me say "expression" not "band name" you speak english, yes ?

Re:Windows

[Wumpus]

I've seen this exact same post elswhere. Is this the new "BSD is dying" troll?

Moderators - read this carefully. It doesn't make any sense.

Re:I'm shocked!

My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.

XP SP2 opens certain services, such as file and print sharing, to the local subnet. The local subnet is defined by the IP address and subnet mask assigned to the computer. It is not determined by if the IP address is public or not.

Re:I'm shocked! Win 2000 also?

you can't see them, but they exist

Sure you can see them.

# smbclient -I [IP Address] -L //random_name
Password: [Enter]

It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Then use:
# smbclient -I [IP] -L //COMPUTERNAME -U Administrator
Password: [Enter]

And it'll list all the shares including IPC$, C$, D$, etc.

Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting. :)

Re:This isn't a bug...

[crywolf]

I can't find a reference, but I've heard about a school which, despite its best efforts, was hosting a MUD on one or more of its laserjets. The best efforts of the administration, of course. Needless to say, the best efforts of the students running the MUD were better.

Re:I'm shocked!

People laugh at the argument that paper and ink cost money but consider this... I have an Epson 9600 wide format (50") printer hooked up with ultrachrome inks and frequently have canvas in there. If some well intentioned person prints a warning on it, depending on how I have my RIP set, it could print out a few feet across. That would cost me 20 bucks or more. That would really suck. I know that if I have the connection open it would be better than a hacker printing my whole $300 roll of canvas but still, it may not be such a great idea to just start printing warnings on everyone's printers.

Re:I'm shocked! Win 2000 also?

[Curtman]

That is presuming there is an administrator password, and the guest account is disabled. It seems XP also just authenticates you as a guest if you press enter for the Administrator password.

Re:hmm...

[fymidos]

>With a certain configuration, ssh is accessable
>from outside, even with a firewall.
indeed, but only if the firewall is not configured to block ssh.

This is quite different: it's like an ssh server *not accessable from outside*, that magically becomes accesible from outside after a kernel update. It's not overzealous, it's a configuration problem that is encountered when you upgrade to SP2.
Yes, it's not an exploit. It's just configuration, but still an SP2 problem.

Re:I'm shocked!

[KarmaMB84]

Illegal trespass is illegal trespass. Various people have in fact gone to court and lost for "informing people of their systems' vulnerabilities."

Re:I'm shocked! Win 2000 also?

[ozric99]

The guest account is disabled by default.