I think I've finally figured out what all the hubbub is about... It is clear
to me that the PC-Welt article was the result of very hasty, incomplete
"research" if you can even call it that--
Here is the deal (as far as I can tell).
When you install SP-2, the firewall is turned on for all interfaces.
Depending on the system config, some default "exceptions" will be present:
If the system is a domain member, exceptions for F&P Sharing will be enabled
for the local subnet. This applies to all interfaces. If the system is
stand alone/workstation, F&P Sharing exemptions are not turned on.
Here is where the fudging (and changing of default settings) comes in... If
Pre-SP2, you had a dial-up interface **that had file and print sharing BOUND
to the adapter** but, had the ICF turned on so that the bindings were
unreachable, and it was a domain member, and you then installed SP2, the
"global" exceptions would be applied and the firewall turned on for all
interfaces. In this case, when you then dialed into where-ever you dialed
into, boxes on the local subnet of the dial-up network would not have the
F&P Sharing ports filtered by the firewall. But this ONLY because you had
F&P Sharing bound to the dial-up interface! By default (pre SP1 even)
dial-up interfaces DO NOT have F&PS bound to the interface. Neither do
Broadband/LAN interfaces, or any where you say you connect up to an ISP.
RRAS/VPN settings do, as one is establishing VPN connections.
So, if you go out of your way to bind F&PS to the dial up interface, but put
ICF on it, then install SP2, then yes, people on the local subnet only will
not have NB filtered by the firewall. But even so, null connections don't
work, and if an account does not have a password, it can't be used for
network connections. No world readable, no "blank password access," no
issue unless you specifically CREATE the issue on purpose.
Corrections/Additions welcomed...
T
----- Original Message -----
From: "Jens Mickerts" <jens (at) mickerts-partner (dot) de [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, September 25, 2004 12:39 AM
Subject: RE: Fw: Serious Security Issue in Windows XP SP2's Firewall
Hi Frank,
I was able to reproduce the bug and things are a bit different, so I
must disagree.
>I think the contention is that when file/printer sharing is enabled,
and
>the firewalls is activated, SMB ports are open on the dial-up interface
>without having been explicitly opened via the firewall policy (unlike
>the network interface). So in a sense, yes, there is a bug. The
implicit
>allow is probably not a good thing, but the main issue seems to be that
>while SMB ports are closed on exiting interfaces (like network cards),
>the policy setting is not applied to inactive, dynamic interfaces --
the
>RAS interface in essence. Once you dial-up, and thus activate the
>interface, the ports are open even though that is not specified in the
>firewall policy.
Correct, but the real bad news is that this happens on machines that had
an enabled Internet Connection Firewall before applying SP-2! This
indeed opens "new" holes (at least on RAS-Interfaces).
Furthermore this is not limited to RAS-Interfaces. All Interface types I
tested (RAS via DSL and LAN) have been affected as long as "local
subnet" was allowed access to file an printer sharing.
I also do not like PC Welt, but this is not a small issue. The problem
possibly affects all Windows XP Systems with enabled ICF and disabled
ICS that are upgraded to SP-2. I guess that approx. 80% of these Systems
are using weak or no passwords on admin-accounts, so you can imagine
what might happen.
I think I've finally figured out what all the hubbub is about... It is clear
to me that the PC-Welt article was the result of very hasty, incomplete
"research" if you can even call it that--
Here is the deal (as far as I can tell).
When you install SP-2, the firewall is turned on for all interfaces.
Depending on the system config, some default "exceptions" will be present:
If the system is a domain member, exceptions for F&P Sharing will be enabled
for the local subnet. This applies to all interfaces. If the system is
stand alone/workstation, F&P Sharing exemptions are not turned on.
Here is where the fudging (and changing of default settings) comes in... If
Pre-SP2, you had a dial-up interface **that had file and print sharing BOUND
to the adapter** but, had the ICF turned on so that the bindings were
unreachable, and it was a domain member, and you then installed SP2, the
"global" exceptions would be applied and the firewall turned on for all
interfaces. In this case, when you then dialed into where-ever you dialed
into, boxes on the local subnet of the dial-up network would not have the
F&P Sharing ports filtered by the firewall. But this ONLY because you had
F&P Sharing bound to the dial-up interface! By default (pre SP1 even)
dial-up interfaces DO NOT have F&PS bound to the interface. Neither do
Broadband/LAN interfaces, or any where you say you connect up to an ISP.
RRAS/VPN settings do, as one is establishing VPN connections.
So, if you go out of your way to bind F&PS to the dial up interface, but put
ICF on it, then install SP2, then yes, people on the local subnet only will
not have NB filtered by the firewall. But even so, null connections don't
work, and if an account does not have a password, it can't be used for
network connections. No world readable, no "blank password access," no
issue unless you specifically CREATE the issue on purpose.
Corrections/Additions welcomed...
T
----- Original Message -----
From: "Jens Mickerts" <jens (at) mickerts-partner (dot) de [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, September 25, 2004 12:39 AM
Subject: RE: Fw: Serious Security Issue in Windows XP SP2's Firewall
Hi Frank,
I was able to reproduce the bug and things are a bit different, so I
must disagree.
>I think the contention is that when file/printer sharing is enabled,
and
>the firewalls is activated, SMB ports are open on the dial-up interface
>without having been explicitly opened via the firewall policy (unlike
>the network interface). So in a sense, yes, there is a bug. The
implicit
>allow is probably not a good thing, but the main issue seems to be that
>while SMB ports are closed on exiting interfaces (like network cards),
>the policy setting is not applied to inactive, dynamic interfaces --
the
>RAS interface in essence. Once you dial-up, and thus activate the
>interface, the ports are open even though that is not specified in the
>firewall policy.
Correct, but the real bad news is that this happens on machines that had
an enabled Internet Connection Firewall before applying SP-2! This
indeed opens "new" holes (at least on RAS-Interfaces).
Furthermore this is not limited to RAS-Interfaces. All Interface types I
tested (RAS via DSL and LAN) have been affected as long as "local
subnet" was allowed access to file an printer sharing.
I also do not like PC Welt, but this is not a small issue. The problem
possibly affects all Windows XP Systems with enabled ICF and disabled
ICS that are upgraded to SP-2. I guess that approx. 80% of these Systems
are using weak or no passwords on admin-accounts, so you can imagine
what might happen.
Regards,
Jens
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]