File and Printer Sharing Insecure in XP SP2

ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."

I'm shocked!

[hlygrail]

...wait, no I'm not.

Re:I'm shocked!

[Curtman]

I thought this was already common knowledge. Grab a copy of any P2P software and spend a few minutes port scanning clients you see in it. I spent an afternoon printing warnings on people's printers, with instructions on how to disable file & print sharing. Its quite an amazing thing to witness. About half of them are wide open, and don't require any password to mount the C drive or print documents. smbclient is a really fun utility. :)

Re:I'm shocked!

I spent an afternoon printing warnings on people's printers

As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.

Re:I'm shocked!

[KarmaMB84]

Printer ink and paper cost money.

Re:I'm shocked!

[Curtman]

So does bandwidth consumed by infected zombie computers relaying spam.

This isn't a bug...

[sgant]

It's a feature! Now you can share all your documents with the world! Think of it as having a server hooked to the internet! Don't have to buy expensive server software or set up very hard to figure out Apache web servers...just install SP2 and you're "online" in more ways than one!

Worry about your ISP not liking you operating a server? They (and you) don't even have to know!

It's a feature!

Re:This isn't a bug...

[AndroidCat]

With printer sharing, the world can share its documents with you! (I'm sure the spammers will find this useful.)

hmm...

[focitrixilous+P]

with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.

With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.

Article is confusing (due to translation?)

[doorbot.com]

If I'm understanding it correctly, using the "Subnet" scope for your dialup connections actually allows access from the entire Internet. The article seems to argue that this "bug" is due to Windows ignoring certain settings when it deals with dialup connections. It doesn't say if the firewall code is flawed (and thus not properly calculating the "subnet" scope), or if there is some other DUN code which is overriding the firewall settings.

Like the man said...

[Hortensia+Patel]

Backups are for wimps. Real men put their data on a WinXP internal share and have the rest of the world mirror it.

Re:Slashdot and SP2

[nbert]

It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.

Slashdot might be eager to publish bad news related to SP2, but calling PC-Welt a dubious source sounds ridiculous to me (can you tell me about a US computer mag, which actually features news?).
I don't think you ever heard of PC-Welt prior to this thread. You could as well state that nothing happened in Beslan, because you saw it on BBC (aka foreign media).
I don't want to say that PC-Welt is a great mag - I bought my last issue about 5 years ago and I no regrets not reading it anymore. But if /. cites some "dubious" news from an unknown website some take it more seriously than news from a mag with real journalists and computer experts. Isn't there something wrong about this behaviour?

Pure FUD. It's not even good FUD.

A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight.

How many were XP SP2? We all know that many misconfigured 95/98 systems exist. These systems have been probed for over half a decade. Nothing is new.

It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection.

Misleading statement. Windows XP does not allow accounts with no password to be used with File and Printer Sharing.

Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter. At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

The default configuration does have an exception for File and Printer Sharing. However, the exception only covers the user's private home network; the internet will not have access to F&P Sharing.

With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

The sentence order is wrong. "All of your shared data" are not available on the internet. The password would first have to be guessed, which is resilient to attacks due to the lockout policy for entering too many invalid passwords.

After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?

It wasn't broken in the first place, idiot. This article is embarrassing for even the zealous MS basher.

Re:Slashdot and SP2

[Izago909]

Dubious or not, the solution is something that most people should do by default:

This error can be corrected by choosing "User defined List" and entering the IP addresses that are supposed to have access - the IP addresses of your LAN. A whole range of an IP area can be entered as "192.168.x.0/255.255.255.0", if the respective addresses start with 192.168.x.

So we should not allow file and printer sharing beyod our local network. Who would a thought? They also recommend using a router with a firewall or a secondary software firewall. It's been a while since I used zone alarm, but the last version I tried didn't notify the user if a windows process tried to access the network. That's why I switched to Sygate. You'd be suprised what parts of windows want to transmitt data (like the file inexing serive) even though you aren't running them.

Yep. I already exploited this one.

[boijames]

My roomie (who I hate) has a printer he was hiding that he's now all of a sudden sharing. 3 words: All. Black. Printjobs. I repeated those, uh, words, about a hundred times. Hilarity did -not- ensue. (Well, it did for me).

Re:I'm shocked! Win 2000 also?

you can't see them, but they exist

Sure you can see them.

# smbclient -I [IP Address] -L //random_name
Password: [Enter]

It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Then use:
# smbclient -I [IP] -L //COMPUTERNAME -U Administrator
Password: [Enter]

And it'll list all the shares including IPC$, C$, D$, etc.

Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting. :)