File and Printer Sharing Insecure in XP SP2 368
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
I'm shocked! (Score:5, Funny)
Re:I'm shocked! (Score:5, Interesting)
Re:I'm shocked! (Score:5, Insightful)
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
Re:I'm shocked! (Score:5, Insightful)
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
While I can understand why such behavior might piss off an ISP, I don't see why it would generally be considered unethical. It's not like he was installing software remotely on someone's computer, which seems very different to me.
Would it be unethical if he knocked on their door and told them in person of their vulnerabilities? How about if he slipped a flyer under their door while they weren't home? That seems to me to be the ethical equivilence of using their computer to print a warning.
Re:I'm shocked! (Score:5, Funny)
Re:I'm shocked! (Score:3, Insightful)
Re:I'm shocked! (Score:5, Insightful)
Re:I'm shocked! (Score:5, Funny)
"Hey Richards, I was going through your latest project proposal and... what's this about penis enlargement?"
=Smidge=
Re:I'm shocked! (Score:3, Insightful)
Re:I'm shocked! (Score:3, Informative)
Re:I'm shocked! (Score:5, Insightful)
Yes (Score:5, Funny)
Hugs and Kisses, Bill Gates
Re:I'm shocked! (Score:4, Funny)
Yes.
By George, I think he's got it!
Shared (Score:3, Funny)
Re:Shared (Score:4, Insightful)
So if I go out for the day and accidently leave my front door open, have I placed all my possessions in the public domain?
I've said it before, and it looks like I'm going to have to keep on saying it - just because you *can* do something doesn't mean that you *should* or that you're *allowed* to.
Re:Shared (Score:3, Interesting)
Re:Shared (Score:5, Insightful)
Since Windows file sharing is meant to share files - allow access to them - I don't really see how any document in a world-readable directory could be likened to the stuff in your house. You made the directory world-readable. You placed the document there. How could anyone make any other conclusion than that you meant the document to be readable by anyone. Same for printers - if you don't want people to print random garbage with them, why did you make them world-printable ?
Now, it's possible that your computer is buggy and shared the directory by itself, or that you're an idiot who plays around with his computers configuration without understanding what's he doing, but how is anyone else supposed to know that ?
As for your example, if keeping your front door open is commonly considered an invitation to come inside and take whatever you want, then yes, leaving your front door open is going to mean exactly that.
That, however, doesn't change the fact that you can hardly be blamed for using resources someone else has made available. Open port is an invitation. If the inviter wanted to limit his invitation to a certain group of people, he should have used a password. Otherwise, people have no way of knowing that this invitation didn't include them.
Re:Be sure to save this speech for (Score:3, Insightful)
What hack job ? This article was about a bug in Windows which might cause a directory or printer to be made shared with the whole world. How is connecting to an open share a "hack" in any meaning of the job ?
Re:I'm shocked! (Score:5, Interesting)
XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:3, Funny)
Re:I'm shocked! (Score:3, Funny)
Re:I'm shocked! Win 2000 also? (Score:5, Informative)
Sure you can see them.
# smbclient -I [IP Address] -L
Password: [Enter]
It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Then use:
# smbclient -I [IP] -L
Password: [Enter]
And it'll list all the shares including IPC$, C$, D$, etc.
Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting.
Re:I'm shocked! Win 2000 also? (Score:3, Informative)
Re:I'm shocked! Win 2000 also? (Score:3, Informative)
And this is news how? (Score:4, Funny)
Re:And this is news how? (Score:5, Funny)
Argh. That'd be annoying if some script kiddie caused my files to get checked.
We GET it Slashdot... (Score:3, Funny)
Do we need an SP2 article every single day? More Linux news, please!
This isn't a bug... (Score:5, Funny)
Worry about your ISP not liking you operating a server? They (and you) don't even have to know!
It's a feature!
Re:This isn't a bug... (Score:5, Funny)
Re:This isn't a bug... (Score:2, Insightful)
Would he fix it then?
Re:This isn't a bug... (Score:5, Funny)
Bill: I am getting a video from a Mr. Valenti, it looks like he's opening his mouth to talk...
Re:This isn't a bug... (Score:4, Interesting)
My printer has a JetDirect ethernet card in it. It's got it's own webserver and can handle the Internet Printing Protocall. You could print to it from across the globe if you knew the IP and it was outside a firewall (or you use a VPN or something).
So what would happen if I just "set it free"? Would anyone notice? Would people start printing spam out of it? Would they try to print Goats.ex stuff?
Anyone ever done this (either on purpose or accidentily)? Anything happen? Just curious. I mean I can understand the appeal of files, but does anyone care about "open" printers?
Re:This isn't a bug... (Score:4, Interesting)
Re:This isn't a bug... (Score:2)
Re:This isn't a bug... (Score:2, Insightful)
Re:This isn't a bug... (Score:3, Insightful)
Re:This isn't a bug... (Score:3, Interesting)
Depending on the setup there are many ways to get access to the printers.
All google needs is one link.
Re:This isn't a bug... (Score:2)
Cue Mortal Kombat voice over (Score:3, Funny)
Humiliation...
Re:Cue Mortal Kombat voice over (Score:2, Informative)
Re:Cue Mortal Kombat voice over (Score:2)
Nah quake 3 ripped it off...
Slashdot and SP2 (Score:4, Interesting)
Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?
Cause all I care about is that he is not hammering my webserver with the latest virus.
Re:Slashdot and SP2 (Score:2, Insightful)
Re:Slashdot and SP2 (Score:5, Insightful)
Slashdot might be eager to publish bad news related to SP2, but calling PC-Welt a dubious source sounds ridiculous to me (can you tell me about a US computer mag, which actually features news?).
I don't think you ever heard of PC-Welt prior to this thread. You could as well state that nothing happened in Beslan, because you saw it on BBC (aka foreign media).
I don't want to say that PC-Welt is a great mag - I bought my last issue about 5 years ago and I no regrets not reading it anymore. But if
Re:Slashdot and SP2 (Score:5, Interesting)
Re:Slashdot and SP2 (Score:3, Insightful)
What bugs is that this is not on by default.
I mean, how hard can it be to set file and printer sharing by default to the local subnet only? Those parameters are already known, and in 90% of the cases this would suffice for normal usage.
The very fact that MS overlooks such simple security measures and pushes things like the new security control panel (forgot what it's called) as a 'solution' proves to me that MS is more concerned about the appearance of security than actual security itself.
Microsoft shows
Re:Slashdot and SP2 (Score:4, Insightful)
I, for one, welcome Slashdot's reporting of any security holes whether in Linux or MSWindows products. I can then research more and know what to be aware of before they get exploited.
Or are you some kind of h4x0r who wants people to remain ignorant of shared filesystems?
Re:Slashdot and SP2 (Score:2, Insightful)
This might be just the entry point virus writers have been looking for.
Having unrestricted access to that guys C drive enables software to be deposited and potentially run.
This software can add itself to the list of approved applications for firewall access and carry on spamming anyway.
This is important.
Here you go (Score:2)
In a small town in France, Jean-Louis had a baguette for lunch along with some delicious red wine from the local winery.
On Slashdot, an Anonymous Coward dared not post under a real name because he was too ashmed of his own rant.
Re:Slashdot and SP2 (Score:5, Interesting)
Microsoft and Security (Score:3, Interesting)
The solution is to continue to provide better information than Microsoft does, not to do the same damn thing about some stupid Microsoft service pack (which, FWIW, I'd say is the most security-oriented and Slashdotter-happiness-inducing patch Microsoft has come out with in years, beating many Linux distributions to noexec st
Excellent (Score:2)
Samba (Score:2, Interesting)
Not to be a dick, but Microsoft, wtf?
Firewalls don't belong on the desktop anyway. (Score:5, Insightful)
If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.
In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.
Re:Firewalls don't belong on the desktop anyway. (Score:2)
Well it's not really Windows XP being not dumb enough to let outsiders in through the firewall, it's that it really can't let outsiders in, as it can't really control it (except for this uPNP thing for routers, can anyone explain what that is?).
Re:Firewalls don't belong on the desktop anyway. (Score:2, Funny)
I'm sure the world wouldn't want you to share your joystick either..
Re:Firewalls don't belong on the desktop anyway. (Score:2)
If I hadn't read this article, I probably would have never known that I could (or at least there was intended functionality to let me) share files and printers across a f
Re:Firewalls don't belong on the desktop anyway. (Score:4, Insightful)
You're absolutely right that firewalls don't belong on the desktop.
Re:Firewalls don't belong on the desktop anyway. (Score:3, Informative)
Re:Firewalls don't belong on the desktop anyway. (Score:3, Insightful)
Re:Firewalls don't belong on the desktop anyway. (Score:5, Insightful)
You really think firewalls belong at the perimeter?
Here's a clue: there IS NO PERIMETER any more. The internal network is often as hostile as the internet. Laptops, PDAs, unauthorized WAPs on the corporate network... the list goes on.
Anyone who belives they can secure a network be securing the perimeter is deluding themselves.
A firewall at the desktop makes a lot of sense.
"insecure"? WTF? (Score:3, Insightful)
But since a well know and famous page like pcwelt.de (or something like that) says it, we must put it in the slashdot's front page without even checking if it's true!!
Just like the "XP SP2 Can Slow Down Business Apps" (read http://it.slashdot.org/comments.pl?sid=122264&cid
It doesn't seems matter all this can be pure FUD It's Windows!!!!1
I can't tell slashdot editors what they have to put in their own page, but I'm not visiting slashdot anymore if this FUD continues. Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?
Re:"insecure"? WTF? (Score:5, Interesting)
It generates comments, and comments generate ad hits, and ad hits generate revenue. Somebody chimes in and says "That proves it, Microsoft utterly and completely dropped the ball, may they go down in flames!" Slashdot gets money. That's a gross oversimplification of how Slashdot generates revenue, but I have to admit, I'm seriously impressed on how they capitalized on anti-MS FUD.
My point? Well, your beef really isn't with Slashdot. It's with the people commenting in stories like this. Lots of people are competing to get that +5 comment, and a lot of people with mod points out there (not all of them, maybe not even most) mod up the "this is proof that MS is OCP evil!" comments.
I agree with you that the idea of not visiting is interesting. I'm rather sick of odd conclusions being drawn then lauded.
Re:"insecure"? WTF? (Score:3, Funny)
Personally I don't really care much, I browse through a bunch of articles, MOD down zealots, and MOD up the truly good comments.
Hey it's better than working.
Re:"insecure"? WTF? (Score:5, Insightful)
You guys bashing slashdot for this, let me ask you, should slashdot not post links to stories until 8 different sources confirm it? That ought to make for a really boring site.
The thing I don't get, is why people get pissed about this? This site is largely a community discussion site driven by user submitted stories. Slashdot isn't out there engaging in investigative journalism or writing the stories themselves.
And when you say something like this:
As far as I can tell, I've installed SP2 and nothing like that happened so it's false to my eyes
I had unprotected sex and I never got a venereal disease, therefore, all those stories about VD are wrong. I mean that's basicaly the same as your argument. Did you read the article? Did you even read the blurb for the article on slashdot? Let me help you:
with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.
What does that say? It says WITH A CERTAIN CONFIGURATION. Obviously, you don't have that certain configuration.
Re:"insecure"? WTF? (Score:3, Interesting)
This is an embarrassment. (Score:2, Insightful)
This a serious bug, and proof of what a poor work Microsoft has done with the Service Pack.
I just remember how Microsoft executives stated (can't find the link, but read it here on slashdot) a bug was never discovered that they didn't know about in beforehand, and wanna laugh.
Let's hope this gets some media attention and people start migrating to other OS's. I'm sure the boys at Redmond wou
hmm... (Score:5, Insightful)
With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.
Re:hmm... (Score:3, Informative)
>from outside, even with a firewall.
indeed, but only if the firewall is not configured to block ssh.
This is quite different: it's like an ssh server *not accessable from outside*, that magically becomes accesible from outside after a kernel update. It's not overzealous, it's a configuration problem that is encountered when you upgrade to SP2.
Yes, it's not an exploit. It's just configuration, but still an SP2 problem.
Smell that FUD (Score:2, Funny)
NAT for the masses (Score:5, Informative)
Not just for flaws like this, but for windows problems in general and basically so you don't have to worry about the win32 machines BEHIND the nat before you worry about the nat box itself.
Hint: ICS doesn't count as NAT IMHO.
Chris
Re:NAT for the masses (Score:4, Informative)
The school hands out external IP's to everyone! It's ridiculous. All these folks who drag their Windows laptops from home where they had a wireless router/NAT are now exposed on the open Internet.
The school tells them to patch, but it's too late -- the half-life of an unpatched Windows box on the open 'net is about six minutes.
Now, I brought two computers, Linux and Mac OS X, and I _STILL_ NAT them for security! (There are enough ports in my dorm room so that I wouldn't need to, but I do.)
I'm pretty much the only one who wants or needs an external IP. I serve web, ssh, and files. So I'm really happy. But all the Windows boxes on the network are crying.
Hardware routers (Score:5, Insightful)
Re:Hardware routers (Score:4, Insightful)
The problem should be fixed at Microsoft's end without having to rely on any 3rd party solutions at all. But then so many people seem to just bend over and take it where it hurts wherever Microsoft is concerned.
For example it seems to be standard practice to put a Linux router/firewall in front of a Microsoft Exchange server. When, and more importantly how, did solutions like this become acceptable?
Bob
Re:Hardware routers (Score:5, Insightful)
I think the point is to protect your data and your pc. If you choose to use Windows you should expect to make the necessary precautions or get nailed.
It might make sense for bicycle manufacturers to include helmets and pads to protect you from injuries caused by using their product. Since this isn't the case one most purchase third party protections. It may not be fair, just the way things are.
Re:Hardware routers (Score:4, Interesting)
Huh? (Score:2)
Article is confusing (due to translation?) (Score:5, Informative)
Re:Article is confusing (due to translation?) (Score:3, Informative)
According to the article...
Each network connection has it's own configuration settings. Regardless of the settings in this dialogue window, if a file/print sharing is enabled (this is an internal windows service, which can potentionally use any network connection), then it is enabled by default on all active network connections. There are some conditions to this actually.
The article does say this applies to all network connections (dialup, DSL, etc.
Like the man said... (Score:5, Funny)
This is just pure BS (Score:3, Informative)
Service Pack 2 has a couple of irritations, and does seem to make things a tad slower on a couple of configurations, but this is just pure BS - I have not seen a single instance where it has enable File & Print Sharing as default on a Dial-up connection - or even where it has had those ports unblocked in the (rudimentary) firewall as default.
Every one of our machines is different, I have NEVER encountered this problem on any of them.
If you're stupid enough to tick a box in the Network Connections settings and you have no idea what it does, then you deserve to be 0wned!
Can we find the Spammer's shared printers... (Score:2, Funny)
Link for Eye-friendly version of the comments page (Score:2, Insightful)
Pure FUD. It's not even good FUD. (Score:5, Informative)
People are stupid. (Score:4, Interesting)
The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.
In addition to that, if it is a local network like that, they have a router in the first place, they are safe.
In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).
In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.
someone is trying to be sensationalist and not thinking about things.
Re:People are stupid. (Score:2, Offtopic)
Heh. The Register ran a story about how Internet Explorer was being used at an airport and it crashed bringing the whole place down. Their evidence of this was a picture somebody took of a display showing IE saying "page not found". I submitted the story under the headline "New Exploit Prevents IE from Finding Web Pages when Internet Connection is Broken". I don't think the Slashdot editors were amused.
Yep. I already exploited this one. (Score:5, Funny)
Windows (Score:4, Interesting)
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
bw
Re:Windows (Score:3, Informative)
Moderators - read this carefully. It doesn't make any sense.
Guilty of P2P (Score:5, Interesting)
I just can't wait to see the **AA go up against M$ over this.
Does this mean that they won't use Microsoft DRM anymore?
You could do this on purpose with IPTABLES (Score:4, Funny)
But why?
Holy mother of *#@$!@& (Score:2, Insightful)
Or more probably they consciously decided that FUD was of utmost importance.
MS is just digging their own grave with their ulterior [slashdot.org] motives [slashdot.org].
I do a fair share of programming so I can understand some glitches here [microsoft.com] and there [theregister.co.uk] but this one is an enormously major fuckup.
Dont they friggin test their software? What the hell?
This could easily have been prevented if they had just 1 halfway knowledgeable employee trying to break the
Kind of problem code review should catch (Score:3, Insightful)
Microsoft tells us they do these kinds of things better, but the reality of the situation is that fixing security issues require a group of people who know what they're doing, and honestly, I don't think Microsoft has a whole lot of those people.
The Microsoft Way... (Score:3, Funny)
By leveraging innovative technologies, content providers streamline compelling enterprise solutions.
Microsoft's firewall? Why? (Score:3, Insightful)
It might be alright for compartmentalization--keeping boxes on a LAN safe from each other. But I sure wouldn't want to put a machine on the internet with just the WinXP firewall between it and the Big Network.
Sygate is easy to use, informative, and more secure than the built-in firewall. Hardware firewalls/routers/NAT-gizmos are cheap and for the most part will keep Joe Sixpack safe* while letting him do what he wants to do with no fuss.
Ideally each machine on a lan has its own software firewall, and then the lan has its own gateway/firewall--either a NAT-in-a-box or a Linux machine. Even in that situation I wouldn't trust Microsoft for the software firewall, mainly because it'll probably get in the way and I can't fine-tune it.
But anyone who puts a WinXP machine on the net with nothing but the built-in firewall is asking for trouble.
*wlan security aside, but that's a whole separate issue--and another argument for software firewalls on every machine.
Re:News worthy? (Score:4, Insightful)
And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.
Re:New WindowsXP Exploit (read this for more..) (Score:3, Interesting)
Link [iis-resources.com]
Re:Before you Micrsoft Bashers come out to play! (Score:2, Insightful)
Which operating system permitted a virus to destroy the data and BIOSes of over one million computers? [symantec.com]