Discussion:
MS-DFS referral.
(too old to reply)
Jeremy Allison
2003-12-02 10:29:55 UTC
Permalink
Hmmm. Whilst fixing bug #667 I think I've noticed that a W2K SP4
redirectory will sometimes do call_trans2getdfsreferral() IPC$
calls as the anonymous user for DFS paths returned from a logged
in user. It doesn't seem to care that it shouldn't have the
privillages to look up this path (and indeed in Samba it doesn't).

I wonder if this is a security flaw in the W2K MSDFS server code
that it must allow the W2K redirector to do this.

I can emulate it of course by becoming root before doing the DFS
lookup, I'm just not sure I should.

Shirish, or anyone working on the DFS code, any ideas ?

Jeremy.
Christopher R. Hertel
2003-12-02 10:29:55 UTC
Permalink
Post by Jeremy Allison
Hmmm. Whilst fixing bug #667 I think I've noticed that a W2K SP4
redirectory will sometimes do call_trans2getdfsreferral() IPC$
calls as the anonymous user for DFS paths returned from a logged
in user. It doesn't seem to care that it shouldn't have the
privillages to look up this path (and indeed in Samba it doesn't).
I wonder if this is a security flaw in the W2K MSDFS server code
that it must allow the W2K redirector to do this.
I can emulate it of course by becoming root before doing the DFS
lookup, I'm just not sure I should.
Shirish, or anyone working on the DFS code, any ideas ?
Jeremy.
I saw something like this today at work, looking at a capture for another
department.

I'll find out what types of systems they were and let you know if it's
really the same as what you're seeing or not.

Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- ***@ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- ***@ubiqx.org
Shirish Kalele
2003-12-02 10:29:59 UTC
Permalink
Sorry, Jeremy, given that there's no spec, the old what-ms-does-is-correct
rule will have to apply here. But you're right that this seems like a
security flaw, allowing a view into the dfs topology with no
authorization.

- Shirish
Post by Jeremy Allison
Hmmm. Whilst fixing bug #667 I think I've noticed that a W2K SP4
redirectory will sometimes do call_trans2getdfsreferral() IPC$
calls as the anonymous user for DFS paths returned from a logged
in user. It doesn't seem to care that it shouldn't have the
privillages to look up this path (and indeed in Samba it doesn't).
I wonder if this is a security flaw in the W2K MSDFS server code
that it must allow the W2K redirector to do this.
I can emulate it of course by becoming root before doing the DFS
lookup, I'm just not sure I should.
Shirish, or anyone working on the DFS code, any ideas ?
Jeremy.
Jeremy Allison
2003-12-02 10:29:59 UTC
Permalink
Post by Shirish Kalele
Sorry, Jeremy, given that there's no spec, the old what-ms-does-is-correct
rule will have to apply here. But you're right that this seems like a
security flaw, allowing a view into the dfs topology with no
authorization.
Thanks. BTW: if you could take a look at the bugfix I'd appreciate it.
This is originally your code, I just changed it to use the standard
unix_convert directory lookups to cope with arbitrary case in dfs
paths.

Jeremy.
Shirish Kalele
2003-12-02 10:29:59 UTC
Permalink
The patch looks good.

Speed is really the only reason the paths were being restricted to
lowercase; I didn't think ppl would be that concerned with case in their
dfs topology.

Anyway, the next step would be to use the results of RESOLVE_DFSPATH all
over to prevent unix_convert being called twice for local pathnames.

Thanks,
Shirish
Post by Jeremy Allison
Post by Shirish Kalele
Sorry, Jeremy, given that there's no spec, the old what-ms-does-is-correct
rule will have to apply here. But you're right that this seems like a
security flaw, allowing a view into the dfs topology with no
authorization.
Thanks. BTW: if you could take a look at the bugfix I'd appreciate it.
This is originally your code, I just changed it to use the standard
unix_convert directory lookups to cope with arbitrary case in dfs
paths.
Jeremy.
Jeremy Allison
2003-12-02 10:29:59 UTC
Permalink
Post by Shirish Kalele
The patch looks good.
Speed is really the only reason the paths were being restricted to
lowercase; I didn't think ppl would be that concerned with case in their
dfs topology.
Anyway, the next step would be to use the results of RESOLVE_DFSPATH all
over to prevent unix_convert being called twice for local pathnames.
Yes I thought about that, but didn't want to restructure things
too much initially.

Thanks,

Jeremy.
Kevin Wheatley
2003-12-02 10:30:00 UTC
Permalink
Post by Jeremy Allison
Post by Shirish Kalele
The patch looks good.
Speed is really the only reason the paths were being restricted to
lowercase; I didn't think ppl would be that concerned with case in their
dfs topology.
Anyway, the next step would be to use the results of RESOLVE_DFSPATH all
over to prevent unix_convert being called twice for local pathnames.
Yes I thought about that, but didn't want to restructure things
too much initially.
We have been running with a similar patch on our 2.x samba servers (we
lowercase if it's WIN95, otherwise leave case as is). Clients are
mostly Win2K/XP Pro. Haven't had many problems except when you have 2
objects with the same name but different cases, e.g. ABC and abc in
the same directory only 1 of them is fully visible. You see 2 in
explorer but can't navigate into directories, etc.

We've done referals at the top level and at leaf nodes too, i.e.
\\hosts\DFSreferral\images as well as \\vdisk\path\to\our\DFSreferral

Haven't updated to samba 3 yet though.

Kevin
--
| Kevin Wheatley | These are the opinions of |
| Senior Do-er of Technical Things | nobody and are not shared |
| Cinesite (Europe) Ltd | by my employers |
Continue reading on narkive:
Loading...