smb browsing broken by firewall

shane at geeklords.org shane at geeklords.org
Tue Jan 20 06:15:30 UTC 2004 

On Mon, 19 Jan 2004, Charles R. Anderson wrote:

> I believe SMB always uses the subnet broadcast address, but it doesn't
> matter either way.  Broadcasts are not usually forwarded across
> routers, and directed broadcasts to remote subnets are usually blocked
> outright, due to the DoS implications.  Therefore, even a
> 255.255.255.255 query would only necessarily need to see response
> packets from the local subnet.  Therefore it should be sufficient to
> allow incoming packets from sources that match:
> 
> (network_address_of_outgoing_broadcast_inteface/netmask).
> 
> along with the other criteria of protocol and src/dst port numbers.

This is a lot of effort for little/no gain.  A simple iptables 
rule allowing netbios only from the local broadcast network is 
just as secure and a lot less complicated/involved.  Granted, what you 
are requesting would theoretically decreased how often port 137 is available 
for inbound connections (assuming the timeout value is less than the 
netbios broadcast frequency and that we are dealing with a private lan). 
However in practice I see this scheme leaving you more exposed, not less 
as shown by the example below:

Simple Example:

I am a hacker and I have cable Internet.  I notice that my localnet is 
24.16.80.0 with a subnet mask of 255.255.240.0 (sadly this is my real 
cable subnet).  I configure and run tcpdump to export the IP 
addresses of all netbios broadcasts to a file called victim.txt.  I write 
a simple script to parse this file every second and kick off my 
exploit program whenever a new victim is found.

In the above example you just got rooted.  At least with the current 
netfilter code the end user/sysadmin is required to think about what it is 
they really want to happen. They can then build firewall rules that 
reflect their intent.  The solution you propose will only make the 
above example less visible to the would be victims allowing them to 
assume that enabling this nifty netbios hack (or worse yet it coming 
enabled by default) is protecting them, when really all it did was expose 
them needlessly.


Cheers,
Shane

-- 
"Given enough time, all legal battles in the tech industry will invoke the 
DMCA. This generally means that all constructive arguments have ended." 
					-NialScorva (slashdot poster)

More information about the devel mailing list