File and Printer Sharing Insecure in XP SP2

ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."

NAT for the masses

[alatesystems]

Please PLEASE if you have friends, family, or loved ones that are not behind a NAT router/box, please install one for them.

Not just for flaws like this, but for windows problems in general and basically so you don't have to worry about the win32 machines BEHIND the nat before you worry about the nat box itself.

Hint: ICS doesn't count as NAT IMHO.

Chris

Re:NAT for the masses

[LincolnQ]

I just got to college a couple weeks ago.

The school hands out external IP's to everyone! It's ridiculous. All these folks who drag their Windows laptops from home where they had a wireless router/NAT are now exposed on the open Internet.

The school tells them to patch, but it's too late -- the half-life of an unpatched Windows box on the open 'net is about six minutes.

Now, I brought two computers, Linux and Mac OS X, and I _STILL_ NAT them for security! (There are enough ports in my dorm room so that I wouldn't need to, but I do.)

I'm pretty much the only one who wants or needs an external IP. I serve web, ssh, and files. So I'm really happy. But all the Windows boxes on the network are crying.

Article is confusing (due to translation?)

[doorbot.com]

If I'm understanding it correctly, using the "Subnet" scope for your dialup connections actually allows access from the entire Internet. The article seems to argue that this "bug" is due to Windows ignoring certain settings when it deals with dialup connections. It doesn't say if the firewall code is flawed (and thus not properly calculating the "subnet" scope), or if there is some other DUN code which is overriding the firewall settings.

This is just pure BS

I work at an OEM making bespoke Video Editing systems under XP. We are installing XP SP2 on all of our machines currently - these are machines that need VERY high performance in terms of both IO and actual OS-level resources.

Service Pack 2 has a couple of irritations, and does seem to make things a tad slower on a couple of configurations, but this is just pure BS - I have not seen a single instance where it has enable File & Print Sharing as default on a Dial-up connection - or even where it has had those ports unblocked in the (rudimentary) firewall as default.

Every one of our machines is different, I have NEVER encountered this problem on any of them.

If you're stupid enough to tick a box in the Network Connections settings and you have no idea what it does, then you deserve to be 0wned!

Pure FUD. It's not even good FUD.

A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight.

How many were XP SP2? We all know that many misconfigured 95/98 systems exist. These systems have been probed for over half a decade. Nothing is new.

It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection.

Misleading statement. Windows XP does not allow accounts with no password to be used with File and Printer Sharing.

Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter. At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

The default configuration does have an exception for File and Printer Sharing. However, the exception only covers the user's private home network; the internet will not have access to F&P Sharing.

With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

The sentence order is wrong. "All of your shared data" are not available on the internet. The password would first have to be guessed, which is resilient to attacks due to the lockout policy for entering too many invalid passwords.

After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?

It wasn't broken in the first place, idiot. This article is embarrassing for even the zealous MS basher.

Re:I'm shocked! Win 2000 also?

you can't see them, but they exist

Sure you can see them.

# smbclient -I [IP Address] -L //random_name
Password: [Enter]

It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Then use:
# smbclient -I [IP] -L //COMPUTERNAME -U Administrator
Password: [Enter]

And it'll list all the shares including IPC$, C$, D$, etc.

Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting. :)

Re:I'm shocked! Win 2000 also?

[Curtman]

That is presuming there is an administrator password, and the guest account is disabled. It seems XP also just authenticates you as a guest if you press enter for the Administrator password.