Bug/Exploit in Vista file sharing.

By NeHoMaR
in Smart Home, Network & Security

 Share

Recommended Posts

Rising Star

NeHoMaR

Posted
Posted

I just found something weird in Vista file sharing system.

If I right click any folder and click in share, a window show where I can select the users for share, my user name is automatically there, with owner status.

OK, here the weird thing, If I click share button in the window, without adding any user to the list, just keeping my user name, then I can enter the folder with OTHER computers in the LAN and has complete access, can delete, create files, etc. as an owner.

I tested this in 5 computers, 3 with XP and 2 with Vista.

I can reproduce the problem in both Vista PCs, but, for some reason, I can access as owner only from the other Vista and 1 XP, the other 2 XPs can't access the folder at all.

Four PCs have NeHoMaR as user name, including one of the XPs not able to access the folder. I was thinking the problem is the same user name, but isn't, because one computer with NeHoMaR user cannot access.

Notes: Windows Firewall is disabled in all 5 PCs. Both Vistas have different anti-virus software. All PCs are connected to the same router in a normal LAN.

Link to comment
https://www.neowin.net/forum/topic/641162-bugexploit-in-vista-file-sharing/
Share on other sites
Grand Master

Draconian Guppy

Posted
Posted
OK, here the weird thing, If I click share button in the window, without adding any user to the list, just keeping my user name, then I can enter the folder with OTHER computers in the LAN and has complete access, can delete, create files, etc. as an owner.

It's because you're sharing those folders from those specific computers ( or whoevers computers they are)

Rising Star

NeHoMaR

Posted
  • Author
Posted (edited)

Maybe my english is too bad for this, I still will try to explain. The above posts are too precipitated.

Not. I am NOT sharing the folder with that computers.

In the permissions (right clicking shared folder) the only allowed is my user name, the Everyone (for share in all LAN) is not there. Adding the Everyone to the rules, make all computer to have access.

Some computers are reacting in the right way: not allowing to access the folder, ALL computer should react that way, I am not allowing to even see the folder.

You both insist there are not bug here? Well, tell me exactly why that others computers can manage folder as owner?

1st.- There are only one rule. One user name that is automatically added when you are using the "easy" sharing menu (not the one that pop-up a UAC window)

2nd.- Only 3 of 5 computers can access the folder as owner (the other 2 cannot even see it) // One of the computer without access, has same username and password.

Edited by NeHoMaR
Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

Are you using simple file sharing or not? You state "Four PCs have NeHoMaR as user name" What is the password on these accounts? The same on 3 and not the forth.

If computer A has account billy with password password1 as admin, and computer B is logged in with account billy and password1.. Then computer A will think account from B is his billy account and it will be an admin.

Whatever account on A you auth with is the permissions you will have on that machine. You can only auth to the machine with 1 account at time. You need to understand what account your authing to the machine with, a nbtstat -s and or net use can be used to show you what sessions/connections you have open. You need to fully understand what NTFS and Share permissions you have set for the account you auth with.

On the computer users are connected too, you could also use manage computer and look at the sessions, and it will tell you what account is authed to that sessions, etc.

As to just tried it and it give compete access to all folders.. And what did you share exactly? And what account are you authing to the machine with? What NTFS file permissons are set on the folders.

Yes if you Share folder A, and the permissions allow for it -- then all folders below folder A can be accessed.

The easy share menu? So you have no freaking idea what your NTFS permissions are do you -- using some wizard.

Again -- not understanding how something works does not mean there is a bug.

http://support.microsoft.com/kb/304040

How to configure file sharing in Windows XP

http://technet.microsoft.com/en-us/library...echNet.10).aspx

File and Printer Sharing in Windows Vista

Edited by BudMan
Rising Star

NeHoMaR

Posted
  • Author
Posted (edited)
Are you using simple file sharing or not?
Both. IMO, the simple sharing shouldn't add the username as owner by default, because maybe you DON'T want others computers access that folder. Now, it's in the advanced sharing when I can actually see the folder is shared just to my username, not to Everyone; Even deleting the username and keeping only the Everyone, if I open simple sharing, it will add the username again, giving access to everyone with same user/pass? including if someone has the same as a coincidence?
What is the password on these accounts? The same on 3 and not the forth.
Here, the "unlogic" part. Four PCs have same user/pass and one cannot access. // I repeat, I am not using any firewall or whatever, so that theory can be discarded.

As a side note: BudMan, your responses have a little touch of arrogance, I don't know if is on purpose or not, but you could offend some people with that way of talking (writing). I KNOW, I don't know all about file sharing, that's obvious, that's because I am posting, I don't see the need of repeating it in every post.

Edited by NeHoMaR
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I am not trying to offend anyone.. But without the "details" of exactly what your doing, I can not tell what your doing wrong, or what your not understanding.

As to why a specific machine can not access a share, even though you have stated it has the same username and password.. And other machines can, points out your missing info.. Did the machine auth to the machine as guest already.. If there is guest session open to that machine, you can not also use a account with different permissions at the same time. You would have to disconnect the other session before you could auth with an account that has permissions.

The machine is going to allow you the access based on the share and ntfs permissions set, and what account you auth with.. Plain an simple --> PERIOD.

As to the everyone in the share permisions. There are 2 different types of permissions, there are "SHARE" permissions - and then there are "NTFS" permission.. There is no issue with allowing the share permissions to be listed as everyone. Depending on how you have the NTFS permissions set.

The default on a share is "everyone" -- you lock this down with NTFS permissions. The only time you normally have to dick with the share permissions is your trying to do something really specific. 99 out of 100 times you never have to dick with the share permissions, just set the NTFS how you want them.

I agree the wizards are CRAP! Don't use them -- just share the folder.. everyone with change. And then set the NTFS permissions to what you want on the folder/files

If you want billy to have change permissions, then set those on the NTFS.. If you want susan to have only read, then set that as well. Now if you auth as billy you can change files, if you auth as susan you can only read them.

If your not billy or susan then you would not be able to access the share.

Grand Master

ANON86364

Posted
Posted

Soo many people do not truely understand how file sharing works, and here someone thinks they have found a flaw in something that has been around for how long? Just as Budman said, there are permissions for viewing, and changing the share. This should be set to everyone, unless you don't want someone to even see the share. NTFS permissions work in a way that the most defined permission takes precedence. As in, a file with read/write permissions for dude, within a folder with permissions for dude and gal, will only be accessible by dude. You set the share to everyone and then set individual files and folders based on user.

Grand Master

SuperKid

Posted
Posted

Hey just a question i made 1 account called Guest and one is Matthew (admin) which is only for my login for the folder for admin permissions on other pcs on the network etc right? but it looks as if the Guest account automatically logs in on my dads login and does readable but sometimes it asks for username and password i just enter Guest and it logs in, is this the right way or do i make one called Everyone and put to readable for access to all on network without requesting user/pass dialogue?

Just woundering this is for my music folder.

Grand Master

Julius Caro

Posted
Posted

So if computer A has userA with passwordA, and computer B, a totally different system, also has userA with passwordA... then userA logged on computerB (NOT logged, even remotely, on computerA) will be able to freely explore files on computerA simply because computerA will think that the right credentials have been provided?

That sounds like a design flaw to me, even if it is a well known and expected behaviour. If you consider that all windows installations have at least two accounts that are present everywhere (Administrator and Guest), this can pose as a security risk.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
That sounds like a design flaw to me, even if it is a well known and expected behaviour.
That is the way it's been since windows 3.11.. How is knowing the USERNAME and PASSWORD of an account on a machine to gain access a design flaw????

It's the same thing for every OS on the PLANET! If you know the username and password of an account on the system you can get access to the system - DUH!!

So since ROOT is on every linux/nix/bsd box on the planet -- its a security issue if you KNOW what the password is????

In the domain world SIDs can come into play -- but that does not matter if you auth to the machine remote.. You do not to present a SID to auth to a machine.

Again how is having to know a username and password to access the machine a design flaw??? How do you suppose it be fixed? What will be used to auth to a machine to gain access to its files? You better make it simple -- cuz users are not even bright enough to figure out how to use usernames and passwords to access a machine on their own network ;)

Grand Master

SuperKid

Posted
Posted

I made an account in the list called Guest myself and it worked, i don't have no one there not even everyone on the share when i press the Share button for the wizard it only has my name as Matthew and Owner, but i made an account called guest, set it to readable and it works, is this the right way of doing so?

Grand Master

Julius Caro

Posted
Posted
That is the way it's been since windows 3.11.. How is knowing the USERNAME and PASSWORD of an account on a machine to gain access a design flaw????

It's the same thing for every OS on the PLANET! If you know the username and password of an account on the system you can get access to the system - DUH!!

So since ROOT is on every linux/nix/bsd box on the planet -- its a security issue if you KNOW what the password is????

In the domain world SIDs can come into play -- but that does not matter if you auth to the machine remote.. You do not to present a SID to auth to a machine.

Again how is having to know a username and password to access the machine a design flaw??? How do you suppose it be fixed? What will be used to auth to a machine to gain access to its files? You better make it simple -- cuz users are not even bright enough to figure out how to use usernames and passwords to access a machine on their own network ;)

Did I not make myself clear? If two separate systems miraculously have two users that have the same username and password, they should still be prompted for credentials when one computer is accessing to the other. Because the login should be done at THE REMOTE computer, therefore the user should be asked for username/password of the remote computer. Perhaps it does ask, and the local service automatically provides the local credentials 'just in case'. It's a security issue of you don't know that you know the password.

Mentor

wellofsouls

Posted
Posted
That is the way it's been since windows 3.11.. How is knowing the USERNAME and PASSWORD of an account on a machine to gain access a design flaw????

It's the same thing for every OS on the PLANET! If you know the username and password of an account on the system you can get access to the system - DUH!!

So since ROOT is on every linux/nix/bsd box on the planet -- its a security issue if you KNOW what the password is????

I don't think for linux/nix/bsd/etc. when you have two systems with the same root password, when you login to one of the Linux box as root, you can remotely access the other Linux box without entering the same password again?

It's most definitely an exploit that most every other OS doesn't have. So let's say I have two PCs, both have the same administrator account name and password, when I want some guy to have full access to one of the computers to do some work, so I login to PC 1 with the administrator account, and let him work on it, I don't think he should be able to remotely login to PC2 without entering a password from PC1.

That's actually quite a severe exploit for enterprise environment, when all the workstations in a company are likely to have one same admin account name and password. Then temporarily granting someone admin access to one PC means granting him admin access to all PCs in the company :|

Grand Master

ANON86364

Posted
Posted
Did I not make myself clear? If two separate systems miraculously have two users that have the same username and password, they should still be prompted for credentials when one computer is accessing to the other. Because the login should be done at THE REMOTE computer, therefore the user should be asked for username/password of the remote computer. Perhaps it does ask, and the local service automatically provides the local credentials 'just in case'. It's a security issue of you don't know that you know the password.

Are you kidding me? This thread has turned into complete and utter nonsense. Look, when you have several PCs using a type of P2P networking, you have no server providing a domain and active directory...follow? AD provides a way of centralized security, so that when you log onto one machine as userA, you have logged onto the network as userA, if you try to access a share on the server that requires userA credentials, you will not be prompted, because you have already provided this information...follow? Now, with a P2P network, you have no AD, and no centralized security. In this case you have to create the same username/password on each PC, so that when you log onto one PC, and try to access a share on another, you are providing the same credentials you logged in with, and authenticating with the remote PC. Creating the same username/password on each PC is a way of providing your own makeshift AD (not really, but you should get what I mean by now).

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)
Then temporarily granting someone admin access to one PC means granting him admin access to all PCs in the company :|
And how is that???? You would not give the user the admin account password, you would give their account temp admin rights on the machine.. that account would not have admin rights on any other machine.

Nor in a secure setup would the local admin account for every machine be the same password, yes I agree quite often this is the case - but this is out of the admin's laziness, not the recommended practice at all. Every account should have a different password, be it the same username or not.

So your saying that you should get prompted every time you access a remote share.. That would be GREAT in a work setup where you would have to type in your username and password to every server in the company when you try to access it.

A user should know the password of the account they are using, and if they do not - this account would not have access to any other machine that you do not want it to have access to. Ie a generic type account which btw use of which is against common security practices. Every user should have their own unique username and password -- the use of generic accounts where more than 1 user knows the password is not recommended, nor is auto login.

When you try to access a remote machine, it prompts for username and password -- windows just gives it the current account info. If this is not valid for access, then you are prompted to type in other creds or just plain denied access if you have session open to that machine already.

Having a user logged into an account that has admin rights on other machines is a security concern yes. The fact that windows auto presents its currently logged in user creds to a remote machine when prompted for auth is not. Since the username and password should only have access to the machines you want it to have access on.

If you do not want the auto logged in account on computer B to have access to computer A -- then do not use the same username and password on both machines ;) In doing so your going against best practice --> "All User Accounts should have Different Passwords" BTW -- a "blank" password is not valid and can not be used to auth to a remote machine.. So if you have user Billy on 2 machines that auto login with a blank password -- he can not gain access to the other computer with his billy account.

But in a workgroup setup -- its a great time saver to have the machines log in with accounts that have the permissions you want for file shares for another machine, etc. NO you would not auto login a machine with an account that has admin rights on every machine -- that would just be dumb, unless your in secure environment like your home, etc. And you set that up on your machine for example.

edit2: Also this has nothing to do with XP home -- since XP home you can only auth as GUEST from a remote machine, does not matter if the remote machine is XP, 9x, NT, 2k, 2k8, linux -- remote auth to a xp home machine is always GUEST. So unless you put the guest account in the admin group.. The only access remote machines would have would access you allowed.

Edited by BudMan
Grand Master

Julius Caro

Posted
Posted
Are you kidding me? This thread has turned into complete and utter nonsense. Look, when you have several PCs using a type of P2P networking, you have no server providing a domain and active directory...follow? AD provides a way of centralized security, so that when you log onto one machine as userA, you have logged onto the network as userA, if you try to access a share on the server that requires userA credentials, you will not be prompted, because you have already provided this information...follow? Now, with a P2P network, you have no AD, and no centralized security. In this case you have to create the same username/password on each PC, so that when you log onto one PC, and try to access a share on another, you are providing the same credentials you logged in with, and authenticating with the remote PC. Creating the same username/password on each PC is a way of providing your own makeshift AD (not really, but you should get what I mean by now).

And this is normal and completely logical because...? I'm not saying that it is a bug, since it was clearly designed that way, it is documented that it works that way, and it is expected to work that way, at least on windows.

I believe that the normal usage is that when I want to access a shared resource on a remote computer, that I should provide credentials that are valid on THAT computer.

From what I'm reading, that's how a samba server works. If user-level security is used on a share, the remote client will be prompted for credentials that will be checked against a local list, which in linux is some file (not the local user database), and on windows I'm assuming you can change it on a per-share basis, or at least on vista.

Apparently the whole "let's provide my own credentials" is a windows thing. So no, I'm not saying that authenticating with a user/name password is a design flaw... let's say I take that back. But windows providing credentials on your behalf without you knowing is.. peculiar, to say the least. Not being prompted is the problem.

And how can it pose as a security risk? When the user of a computer has absolutely NO clue on what the passwords are for certain accounts. Like, with windows xp home, only the person who installed it would know what the administrator password is. In many cases the password is blank, because no password for the first user was provided (I think that either xp sp2 or vista require you to type a password when you install windows now).

Also, we're in the era of mobility. A single host can be on different networks, and knowing how dumb people are with obvious username and passwords, this could lead to people accessing the local shares of a computer without the owner noticing. Is being prompted THAT hard ? As if was THAT difficult to implement something like webbrowsers, to remember the username/passwords of certain hosts, that way you would have to provide the credentials just once.

Grand Master

Julius Caro

Posted
Posted
If you do not want the auto logged in account on computer B to have access to computer A -- then do not use the same username and password on both machines ;) In doing so your going against best practice --> "All User Accounts should have Different Passwords" BTW -- a "blank" password is not valid and can not be used to auth to a remote machine.. So if you have user Billy on 2 machines that auto login with a blank password -- he can not gain access to the other computer with his billy account.

So I was wrong by assuming that blank passwords could be used. Instead, now this explains why I'm never able to access certain shared resources on my local network when 'guest' is not allowed. I'm prompted for credentials, yet I'm obviously never able to login, because the blank password is not valid.

Now I have a question, is the blank password not valid because the windows CLIENT won't accept it, or because the samba server will automatically reject it without even comparing if a user with those credentials is present on the local user list?

Windows implementation of the SMB protocol defies all logic I tell ya

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Blank is NOT a password, So why would anything accept it as remote auth of a password?

And I have no idea how you setup your samba shares - but I do not get prompted for samba access on my home network, because I have mapped the windows account to a linux account.

"But windows providing credentials on your behalf without you knowing is"

This could be taken as a valid statement -- but who does not know?? It is common knowledge that windows will present its currently logged in account info to access a SMB/CIFS share.

As I stated earlier in this thread "not understanding how something works" does not mean there is a bug or that there is something wrong with the design.

From a security standpoint, is presenting current credentials without user intervention the best way? Maybe not?? But I can tell you for sure from an ease of use standpoint this almost a requirement. Users being prompted to send their current credentials or having to type in again every time they accessed a remote share would not fly. How long are they good for? Can the user cache them -- what happens with the cached credentials once the password is changed - are they kept in sync? If there is a method for the user to have them auto presented they will -- So your back to square one with them being auto presented, etc.

Grand Master

Julius Caro

Posted
Posted

Well, I just noticed, on linux, once you perform a request for the list of shared resources and the thing prompts for a password, the calling user is 'mapped', but the password is asked for even if it's the same password (ie, it doesnt send your credentials without you knowing, it just sends YOUR username and asks for a password). Which is even more confusing, to not know what user the password is being asked for, even though it's obvious that the username/password has to match on the remote machine of course.

If blank is not a password, a computer in which the guest account is disabled is going to be problematic since there would be no way of accessing those shared resources unless another user rather than the passwordless one is provided. But I guess you can't blame SMB implementations here, but the blame should be put on windows allowing the creation of passwordless users. Is the behavior the same in vista?

In vista, having all users without a password could mean "isolation", since nobody would ever be able to login (I'm using smbclient against my vista computer and providing no password (regardless of the user) grants me anonymous access, even if the user I used to log in didnt have a password. Although no shared resources are listed for the 'anonymous' user, they're only shown if I provide valid credentials.

These two features may be useful, but they go against the norm when it comes to logins, and they certainly aren't explained on windows (and it's not like I'm expecting them to show to the end user how the protocol is implemented, but we're dealing with user prompts here, which are at the very top of the stack).

SO, no, it's not "common" knowledge that windows does that. It's not common knowledge to me that windows attempts a login before prompting me for credentials on a remote computer, and it's not common knowledge how a user can log in with a blank password locally but it can't be done remotely to browse the shared resources.

THe expected behavior would be to provide the end user with more information about this. Because the way it is now, there's no way in hell I could have determined those particular things without finding some obscure KB article.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.