RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?

• Previous message: David LeBlanc: "RE: WSUS/Reboot"
• In reply to: Jim Harrison (ISA): "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"
• Next in thread: Kern, Tom: "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Jim Harrison (ISA)'" <jmharr@microsoft.com>, "'Kern, Tom'" <tkern@CHARMER.COM>, "'Thor (Hammer of God)'" <thor@hammerofgod.com>
Date: Sat, 25 Jun 2005 15:04:18 -0700

While I wouldn't suggest using SMB across the internet, there are ways to do
it and limit the mischief that can occur. Back when my system used to
connect directly to the internet, I'd do this just to taunt people. The
thing to remember is that the biggest problem with SMB is that there isn't a
good way to limit all the other management functions and just allow file
transfer.

You can mitigate this through the right to logon from the network. If you
establish a very low-privileged group, and only grant it the right to logon
from the network (certainly NOT the admins - an explicit deny on this group
is a good idea), then you'll find that the mischief that can happen is much
more limited.

I also have to say that even with NTLM auth's known flaws, it does a lot
better than more traditional things like FTP.

So if you choose to accept the risk of exposing 445 to the internet, spend
some time to tighten the system, and I'd also do some other network level
work, like sticking it in an isolated screened network.

> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:jmharr@microsoft.com]
> Sent: Friday, June 24, 2005 1:28 PM
> To: Kern, Tom; Thor (Hammer of God)
> Cc: focus-ms@securityfocus.com
> Subject: RE: Using Messenger Service for 'Net Send'
> Functionality --- Dangerous?Why?
>
> Correct, but not all systems use SMB (W9x, for instance).
> It's almost always a layer-8 issue when someone wants / needs
> this sort of path opened.
>
> Jim Harrison
> Security Business Unit (ISA SE)
> "When you come to a fork in the road, take it."
> --Yogi Berra
>
>
> -----Original Message-----
> From: Kern, Tom [mailto:tkern@CHARMER.COM]
> Sent: Friday, June 24, 2005 1:20 PM
> To: Jim Harrison (ISA); Thor (Hammer of God)
> Cc: focus-ms@securityfocus.com
> Subject: RE: Using Messenger Service for 'Net Send'
> Functionality --- Dangerous?Why?
>
> why do you need netbios for file transfer?
> smb/cifs operates over tcp/ip on port 445(which i would NEVER
> open to the outside world), it doesn't need netbios. For name
> resolution use an ip or a fqdn.
>
> Jim Harrison (ISA) wrote:
> > I've spoken to quite a few folks that believe allowing
> NetBIOS across
> > your firewall is perfectly reasonable for file transfer
> functionality.
> > I clearly don't agree with this proposition, but because
> SSH/FTPS is
> > "unfamiliar", it's what they wanted.
> >
> > Jim Harrison
> > Security Business Unit (ISA SE)
> > "When you come to a fork in the road, take it."
> > --Yogi Berra
> >
> >
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> > Sent: Friday, June 24, 2005 8:38 AM
> > To: Jesse Weigert; Nick Duda
> > Cc: focus-ms@securityfocus.com
> > Subject: Re: Using Messenger Service for 'Net Send'
> Functionality ---
> > Dangerous?Why?
> >
> > "Net send" first tries a netbios connection to deliver the message,
> > and will then attempt delivery via UDP 135 (the endpoint mapper.)
> >
> > There is no functional reason why a firewall should be allowing
> > netbios/f&p traffic or UDP135 into your network.
> >
> > T
> >
> > ------
> > *Secure your infrastructure*
> > Microsoft Ninjitsu: Securely Deploying MS Technologies security
> > training delivered by Timothy Mullen.
> > Registration now open for Blackhat Vegas 2005:
> > http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-tm.html
> >
> >
> >
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Jesse Weigert" <weigert@gravitec.com>
> > To: "Nick Duda" <nduda@VistaPrint.com>
> > Cc: <kurt.buff@gmail.com>; <michael.mailinglist@securityfocus.com>;
> > "at"
> >
> > <gmail.com@securityfocus.com>; <focus-ms@securityfocus.com>
> > Sent: Thursday, June 23, 2005 8:33 PM
> > Subject: Re: Using Messenger Service for 'Net Send'
> Functionality ---
> > Dangerous?Why?
> >
> >
> >> I would like to add that there is malware which does just this.
> >> Which is why sometimes even blocking the service at the firewall
> >> doesn't stop the messenger spam.
> >>
> >> Nick Duda wrote:
> >>> FYI, It's very easy to write a short VB app that:
> >>>
> >>> A. doesn't record net sends to event viewer B. can spoof
> the sending
> >>> name of the computer (NetBIOS)
> >>>
> >>> - Nick
> >
> >
> >
> --------------------------------------------------------------
> ----------
> > ---
> >
> --------------------------------------------------------------
> ----------
> > ---
> >
> >
> >
> --------------------------------------------------------------
> ----------
> ---
> >
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: David LeBlanc: "RE: WSUS/Reboot"
• In reply to: Jim Harrison (ISA): "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"
• Next in thread: Kern, Tom: "RE: Using Messenger Service for 'Net Send' Functionality --- Dangerous?Why?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]