5668739 2000-11-02 04:55 /52 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13544>
Kommentar till text 5659539 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Samba 2.0.7 SWAT vulnerabilities
------------------------------------------------------------
From: Richard Trott <trott@SLOWPOISONERS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSO.4.21.0010311450350.14568-100000@www>
On Mon, 30 Oct 2000, Optyx - Uberhax0r Communications wrote:
> The program swat included in the samba distribution allows username and
> password bruteforcing. An attacker can easily generate userlists and then
> bruteforce their passwords. Comments in the source code show that somebody
> tried to prevent this from happening[1].
>
> The problem occurs when a user types in the wrong password. If swat gets a
> valid username, but incorrect password it errors with:
>
> 2second pause
>
> 401 Authorization Required
>
> You must be authenticated to use this service.
>
> If swat gets a invalid username / password:
>
> NO PAUSE
>
> 401 Bad Authorization
>
> username/password must be supplied
This kind of error is extraordinarily common.
I just noticed that CS&T's CorporateTime for the Web does this. If
you type in the wrong password, you get "The password you entered is
incorrect." If you type in the wrong username, you get "The system
found no matches for the given search string." In addition to the
latter message being cryptic to the average user, the different
messages make it easy to determine valid usernames. Nothing like
making it easy for a cracker to come up with a list of valid
usernames to brute-force...
I'm sure if everyone reported these problems to BugTraq, we could
generate a very, very long list of products that have this same
problem. I'd actually like to generate just such a list of products.
Feel free to send example products (free, commercial, whatever) to me
(and/or to Bugtraq; hey, it's moderated) and if I get enough, maybe
I'll post a Web page.
[CorporateTime for the Web also appears to do other
not-so-security-conscious things like create a world writeable log
directory (lexacal-private/log--and that private directory is created
with world read and execute permissions, so it is not private at
all).]
Rich
(5668739) ------------------------------------------(Ombruten)
Kommentar i text 5671827 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5672235 av Brevbäraren (som är implementerad i) Python
5671827 2000-11-02 18:25 /39 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13549>
Kommentar till text 5668739 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Samba 2.0.7 SWAT vulnerabilities
------------------------------------------------------------
From: Gerald Carter <gcarter@VALINUX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A0165C1.CFB2A02D@valinux.com>
> On Mon, 30 Oct 2000, Optyx - Uberhax0r Communications wrote:
>
> > The program swat included in the samba
> > distribution allows username and password bruteforcing.
> > An attacker can easily generate userlists and then
> > bruteforce their passwords. Comments in the source
> > code show that somebody tried to prevent this
> > from happening[1].
Just an FYI....
These reported problems have been corrected in the
latest version of our HEAD branch code and will be in the
next release of Samba (2.2.0 - currently in alpha release
stages).
Many thanks to Samba developer, Jeremy Allison, for
addressing this.
Cheers, jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter@valinux.com
http://www.samba.org/ SAMBA Team jerry@samba.org
http://www.plainjoe.org/ jerry@plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
(5671827) ------------------------------------------
5672235 2000-11-02 20:36 /51 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13563>
Kommentar till text 5668739 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Samba 2.0.7 SWAT vulnerabilities
------------------------------------------------------------
From: Ryan Gray <ryan@SNIPER.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0011011939120.13140-100000@catalyst.catalystsol.com>
CheckPoint Firewall-1 (at least up to version 4.0) has similar
behavior. Firewall-1 uses port 259 for client authentication.
If a valid username and invalid password is used:
User: validuser
FireWall-1 password: ******
Access denied by FireWall-1 authentication
User:
###################################
And if an invalid username is used:
User: invaliduser
User someuser not found
User:
###################################
I'm not sure about 4.1, but from the work that I've done with it, I'd
imagine that it behaves the same.
Regards,
Ryan Gray
Catalyst Solutions, Inc.
On Tue, 31 Oct 2000, Richard Trott wrote:
> I'm sure if everyone reported these problems to BugTraq, we could generate
> a very, very long list of products that have this same problem. I'd
> actually like to generate just such a list of products. Feel free to send
> example products (free, commercial, whatever) to me (and/or to Bugtraq;
> hey, it's moderated) and if I get enough, maybe I'll post a Web page.
>
> [CorporateTime for the Web also appears to do other
> not-so-security-conscious things like create a world writeable log
> directory (lexacal-private/log--and that private directory is created with
> world read and execute permissions, so it is not private at all).]
>
> Rich
>
(5672235) ------------------------------------------(Ombruten)