[4226] in bugtraq
Fatal bug in NT 4.0 server
daemon@ATHENA.MIT.EDU (Vytautas Vysniauskas)
Wed Apr 2 12:52:59 1997
Date: Wed, 2 Apr 1997 14:37:33 +0300
Reply-To: Vytautas Vysniauskas <vytasvy@OSF.LT>
From: Vytautas Vysniauskas <vytasvy@OSF.LT>
To: BUGTRAQ@NETSPACE.ORG
Hi,
There exists very serious bug NT 4.0 server. A user who is
granted r/o access to any point of a failsystem can easily
crash NT 4.0 server.
EXPLOIT:
Client user (who is granted r/o access) resides on Linux box
with root priviledges. Client mounts NT server disk as follows
linux# smbmount //ntserver/service /mnt -U client_name
"df" shows mounted volume like
//ntserver/service 530176 458224 71952 86% /mnt
Now when you try to list the volume with ls /mnt
the command hangs (but is possible to kill the process from
another root shell). NT server switches to blue console
screen and crashes immediately showing diagnostic message
*** STOP 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x8012C28A)
IRQL_NOT_LESS_OR_EQUAL
----
*** NOTE: to exploit this situation you must have incorrectly
working smbmount utility:
Linux version 2.0.25
smbmount utility from smbfs-2.0.1.tgz package
(available at ftp.gwdg.de /pub/linux/misc/smbfs or
sunsite.unc.edu /pub/Linux/filesystems/smbfs )
This package requires at least Linux version 2.0.28
and contains fixes of a standard smbfs module. So,
it is not expected to work correctly with 2.0.25 version.
However, smbmount crashes NT server completely...
The situation was tested several times on two NT 4.0 servers,
always ending up with strictly the same system crash.
It would be interesting to see does somebody else can reproduce
this result ?
QUESTION:
Additionally, I would like to ask:
It is known about big hole in NT 4.0 security system
that allows for a user without any access permission to mount NT
server root directory (disk C:) in r/w mode and to take a
complete control over NT system ? I heard only some little
comments but haven't seen a demonstration and/or description
of this vulnerability.
It makes very big doubt about usability of NT 4.0 system.
Maybe, it is time to switch to Unix/Samba platform ?
========================================================
Vytautas Vysniauskas e-mail: vytasvy@osf.lt
tel: +370-2-611408
UNIX systems administrator
Open Society Fund of Lithuania
========================================================
