[17441] in bugtraq
Re: Samba 2.0.7 SWAT vulnerabilities
daemon@ATHENA.MIT.EDU (Richard Trott)
Wed Nov 1 20:23:50 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0010311450350.14568-100000@www>
Date: Tue, 31 Oct 2000 15:14:11 -0800
Reply-To: trott@SLOWPOISONERS.COM
From: Richard Trott <trott@SLOWPOISONERS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.4.21.0010300920500.3477-100000@d33r>
On Mon, 30 Oct 2000, Optyx - Uberhax0r Communications wrote:
> The program swat included in the samba distribution allows username and
> password bruteforcing. An attacker can easily generate userlists and then
> bruteforce their passwords. Comments in the source code show that somebody
> tried to prevent this from happening[1].
>
> The problem occurs when a user types in the wrong password. If swat gets a
> valid username, but incorrect password it errors with:
>
> 2second pause
>
> 401 Authorization Required
>
> You must be authenticated to use this service.
>
> If swat gets a invalid username / password:
>
> NO PAUSE
>
> 401 Bad Authorization
>
> username/password must be supplied
This kind of error is extraordinarily common.
I just noticed that CS&T's CorporateTime for the Web does this. If you
type in the wrong password, you get "The password you entered is
incorrect." If you type in the wrong username, you get "The system found
no matches for the given search string." In addition to the latter
message being cryptic to the average user, the different messages make it
easy to determine valid usernames. Nothing like making it easy for a
cracker to come up with a list of valid usernames to brute-force...
I'm sure if everyone reported these problems to BugTraq, we could generate
a very, very long list of products that have this same problem. I'd
actually like to generate just such a list of products. Feel free to send
example products (free, commercial, whatever) to me (and/or to Bugtraq;
hey, it's moderated) and if I get enough, maybe I'll post a Web page.
[CorporateTime for the Web also appears to do other
not-so-security-conscious things like create a world writeable log
directory (lexacal-private/log--and that private directory is created with
world read and execute permissions, so it is not private at all).]
Rich
