Slashdot Mirror
File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
...wait, no I'm not.
Wow... MS now ADVERTISING XP as a secure computing system with SP2. Now you're fscked for sure!
||| I still can't believe Parkay's not butter.
It's a feature! Now you can share all your documents with the world! Think of it as having a server hooked to the internet! Don't have to buy expensive server software or set up very hard to figure out Apache web servers...just install SP2 and you're "online" in more ways than one!
Worry about your ISP not liking you operating a server? They (and you) don't even have to know!
It's a feature!
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Humiliation...
What he can't kill, he has sex on. Trent.
It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.
Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?
Cause all I care about is that he is not hammering my webserver with the latest virus.
The Slashdot summary is a little mis-worded such that it'll cause some unneeded alarm.
If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.
In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.
I suppose there were a few people out there that were expecting it to be secure...what with MS spending over a year...(maybe longer?) in making SP2 while the world was screaming at it to fix it's security holes.
And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Oh, so you can see docs and printers of a XP box? What good news sherlock, that's really a feature, not a "security bug". And I still wonder how on eart that "insecurity" didn't happened in my box when I upgraded from SP1 to SP2.
= 10284438 or http://it.slashdot.org/comments.pl?sid=122264&cid= 10283379) and docens of other news by MrTaco, etc.
But since a well know and famous page like pcwelt.de (or something like that) says it, we must put it in the slashdot's front page without even checking if it's true!!
Just like the "XP SP2 Can Slow Down Business Apps" (read http://it.slashdot.org/comments.pl?sid=122264&cid
It doesn't seems matter all this can be pure FUD It's Windows!!!!1
I can't tell slashdot editors what they have to put in their own page, but I'm not visiting slashdot anymore if this FUD continues. Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?
This service pack has been a complete failure. This is no longer about performance issues or or installation issues.
This a serious bug, and proof of what a poor work Microsoft has done with the Service Pack.
I just remember how Microsoft executives stated (can't find the link, but read it here on slashdot) a bug was never discovered that they didn't know about in beforehand, and wanna laugh.
Let's hope this gets some media attention and people start migrating to other OS's. I'm sure the boys at Redmond would do a better job if they thought their product is under serious threat, because this so far is a joke.
With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.
SAILING MISHAP
This site is getting worse by the day. I mean, come on.
Please PLEASE if you have friends, family, or loved ones that are not behind a NAT router/box, please install one for them.
Not just for flaws like this, but for windows problems in general and basically so you don't have to worry about the win32 machines BEHIND the nat before you worry about the nat box itself.
Hint: ICS doesn't count as NAT IMHO.
Chris
Most of these security issues are solved by simply having an inexpensive netgear or linksys router and up to date virus software. They are cheap and easy enough to use that they should be considered standard equipment on any home PC connecting to the internet.
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
If I'm understanding it correctly, using the "Subnet" scope for your dialup connections actually allows access from the entire Internet. The article seems to argue that this "bug" is due to Windows ignoring certain settings when it deals with dialup connections. It doesn't say if the firewall code is flawed (and thus not properly calculating the "subnet" scope), or if there is some other DUN code which is overriding the firewall settings.
Backups are for wimps. Real men put their data on a WinXP internal share and have the rest of the world mirror it.
I work at an OEM making bespoke Video Editing systems under XP. We are installing XP SP2 on all of our machines currently - these are machines that need VERY high performance in terms of both IO and actual OS-level resources.
Service Pack 2 has a couple of irritations, and does seem to make things a tad slower on a couple of configurations, but this is just pure BS - I have not seen a single instance where it has enable File & Print Sharing as default on a Dial-up connection - or even where it has had those ports unblocked in the (rudimentary) firewall as default.
Every one of our machines is different, I have NEVER encountered this problem on any of them.
If you're stupid enough to tick a box in the Network Connections settings and you have no idea what it does, then you deserve to be 0wned!
Duuuuh. 2 minutes of searching finds out that it's probably a RPC vulnerability scanner. Search a bit before starting to panic, please.
Link
...and send them goat.cx?
Stop the world; I need to get off.
both here and in the world.
The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.
In addition to that, if it is a local network like that, they have a router in the first place, they are safe.
In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).
In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.
someone is trying to be sensationalist and not thinking about things.
RoundTop
My roomie (who I hate) has a printer he was hiding that he's now all of a sudden sharing. 3 words: All. Black. Printjobs. I repeated those, uh, words, about a hundred times. Hilarity did -not- ensue. (Well, it did for me).
The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
bw
I just can't wait to see the **AA go up against M$ over this.
Does this mean that they won't use Microsoft DRM anymore?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
But why?
You are not the customer.
MS has been so busy smearing Linux they forgot item 2 of their Security Vision!
Or more probably they consciously decided that FUD was of utmost importance.
MS is just digging their own grave with their ulterior motives.
I do a fair share of programming so I can understand some glitches here and there but this one is an enormously major fuckup.
Dont they friggin test their software? What the hell?
This could easily have been prevented if they had just 1 halfway knowledgeable employee trying to break their own security before release!
Now that every(only XP users) PC has a firewall(unless they turned it off), they wont have to spend so much time on making their apps secure!
Its just gunna get worse.
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Microsoft goes on a bit about how much better their commercial software is because they have commercial code reviewers to catch this kind of thing, i.e. people who have a job to do and are getting paid to do it must be doing a better job than the great unwashed masses.
Microsoft tells us they do these kinds of things better, but the reality of the situation is that fixing security issues require a group of people who know what they're doing, and honestly, I don't think Microsoft has a whole lot of those people.
--- It is not the things we do which we regret the most, but the things which we don't do.
you can't see them, but they exist
//random_name
//COMPUTERNAME -U Administrator
:)
Sure you can see them.
# smbclient -I [IP Address] -L
Password: [Enter]
It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Then use:
# smbclient -I [IP] -L
Password: [Enter]
And it'll list all the shares including IPC$, C$, D$, etc.
Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting.
These computing resources were being placed in the public domain. It's like finding a laser printer lying on the sidewalk and printing something on it.
By leveraging innovative technologies, content providers streamline compelling enterprise solutions.
Alternatively, http://www.malfunction.org/fulifier/nph-fulify.cgi ?URL=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fs id%3D04%2F09%2F18%2F2143242%26tid%3D128%26tid%3D20 1%26tid%3D1
That is presuming there is an administrator password, and the guest account is disabled. It seems XP also just authenticates you as a guest if you press enter for the Administrator password.
That's why I close all my letters I print on other people's computers with:
Hugs and Kisses, Bill Gates
"There is more worth loving than we have strength to love." - Brian Jay Stanley
People really shouldn't rely on the built-in WinXP firewall for protection.
It might be alright for compartmentalization--keeping boxes on a LAN safe from each other. But I sure wouldn't want to put a machine on the internet with just the WinXP firewall between it and the Big Network.
Sygate is easy to use, informative, and more secure than the built-in firewall. Hardware firewalls/routers/NAT-gizmos are cheap and for the most part will keep Joe Sixpack safe* while letting him do what he wants to do with no fuss.
Ideally each machine on a lan has its own software firewall, and then the lan has its own gateway/firewall--either a NAT-in-a-box or a Linux machine. Even in that situation I wouldn't trust Microsoft for the software firewall, mainly because it'll probably get in the way and I can't fine-tune it.
But anyone who puts a WinXP machine on the net with nothing but the built-in firewall is asking for trouble.
*wlan security aside, but that's a whole separate issue--and another argument for software firewalls on every machine.
Funny thing about that administrator password. As I pointed out in my post later in the comments: I work for one of the BIG OEM companies and I can say with all certianty... we don't put Administrator passwords on the comptuers when they ship. Furthermore, we WILL NOT assist in adding/removing/modifying any settings of the sort for less than $2.95 per minute. It's not covered in our scope of support. I guess our bosses figure if you're going to use the technology you should at least know something about it. Oh, don't forget the fact that the suits that run the place don't even know how the stuff works. When our tech call center came down with blaster I was recruited to assist with the removal. With the current admin being clueless, guess who had to plan the whole thing out. The first thing I did was scan for systems that had the symptoms (this was before we knew what it was) and I was amused to find out just how insecure our network is. Do you know what kind of information we collect and warehouse everyday. Scary. BTW, after helping disinfect about 500 systems and saving the company millions of bucks, they were nice enough to label me a security risk and put me on a watch list. Just goes to show, the companies that make the stuff don't know anything about it.
ThisIDalreadyInUse
Is it any wonder that when I got a free XP Service Pack 2 cd from school this is what became of it? Before After
...you hate SP2. You hate Windows XP.
Do we need an SP2 article every single day? More Linux news, please!
Second this. Seriously, people complain about MS running FUD campaigns. Know what? Their complaints are legitimate. That's why a lot of people in the know don't like Microsoft much.
.NET is useful, but implement things like inferred static types with ranges used to help detect buffer overruns. Lots of code (most code being run out there) is in C or C++ and will be for a long time to come. I know you hire a ton of people to MS Research from Carnegie Mellon each year, and I know that there are a ton of good language design people at Carnegie Mellon. Use said people.
The solution is to continue to provide better information than Microsoft does, not to do the same damn thing about some stupid Microsoft service pack (which, FWIW, I'd say is the most security-oriented and Slashdotter-happiness-inducing patch Microsoft has come out with in years, beating many Linux distributions to noexec stack protection). FUD bites people on their own asses.
The Slashdot furor over SP2 is absolutely *absurd*. Security? Consider the fact that 95/98 allowed a remote user to extract and print out users' share passwords remotely from anywhere on the Internet in a few seconds using a Wargames-style algorithm (linear time in length of password), just with a few lines of C code added to smbclient. Consider the fact that Windows NT 4, by default, came with a default account (Administrator) with no password, with all drives shared to that account in "hidden" shares that were only hidden because of a client convention not to display shares, and automatically re-enabled said administrative shares at reboot if a user tried disabling them. File sharing problems? Man, nothing Microsoft can *possibly* do will ever come close to the security blunders of their past. Microsoft is getting better. They've got a long way to go -- they don't have a native sandboxing mechanism (a la chroot jails), they have problems with their GUI-oriented API (see "Shatter" style attacks), they have charming comments in the MSDN API documentation like (extracted from memory from one particularly egregious CAPI call) "This parameter should never be used due to security problems. Some developers may wish to use this parameter to provide compatiblity with Microsoft cryptographic service providers."
Microsoft, you want real credibility, the ability to sell coders that you've got some real things going over Linux? Do the following:
* Provide sandboxing functionality. You just purchased Virtual PC, yes, but I'm talking about OS-level sandboxing, not the slow and less functional hardware-level sandboxing. Let me run IIS in an isolated sandbox, where nothing gets out. Enforce this with the OS, not with application conventions.
* You provide the overwhelmingly dominant compiler for your platform. Yes,
* Do not run your RPC/filesharing/printsharing system by default. It's been the source of God knows how many security problems. Yes, I'm sure that you have lots of long-time Microsofties that are thrilled with it. This isn't 1985 any more, and machines are on networks and often poorly administered. A vanilla box shouldn't have a single packet passing up past the level of the TCP stack. There should be no listening ports in a default Windows install. That means that (a) you don't have to worry about pissing off sysadmins after you blame *them* for not firewalling your broken software that runs out of box and (b) you don't have to worry nearly as much about disasterous, media-worthy waves of worms.
* Start an application-level security certification program for certain basic characteristics -- like being able to install and run an application without having administrative rights.
* You *still* don't use key or cert caching with your SMB/CIFS system. This should be a default. When I connect to a server with openssh on my Linux box, that server's key gets *cached*, and if a man-in-the-middle attack is later attempted, I get a warning that the key has changed and that a man-in-the-middle
May we never see th
Imagine having the printer print out that it requires repairing and to ring a number which you have to pay $1 a second (or whatever).
The guest account is disabled by default.
What hack job ? This article was about a bug in Windows which might cause a directory or printer to be made shared with the whole world. How is connecting to an open share a "hack" in any meaning of the job ?
No. It's the old "she uploaded naughty pictures of herself into a porn website and is now accusing me of looking at them ?!?" defense.
This isn't about a bug that allows anyone to break into anyone else's computer. This is about a bug that makes said computers make some resources available to anyone, using a standard resource-sharing protocol. To continue these analogues, it's like you accidentally spread your belongings to your front lawn, and posted a sign saying "take what you want". Sure, you didn't really mean it, but how is anyone else supposed to know that ?
Yes, I think this would indeed be a solid defense in front of a judge.
BTW. It takes a pretty sick mind to liken getting your printer hijacked to being raped.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.