Potential Security Hole in Mac OS X 10.2.x's Samba

Jordan Miller points out a potential security bug in Mac OS X 10.2.x's implementation of Samba. Samba is an Open Source /Free Software suite that provides file and print services to SMB/CIFS clients. The software is freely available under the GNU General Public License.

The process to exploit the bug is as follows:

1. Create or make sure you have at least two users that can "log in from Windows" (configured in the "Accounts" Preference Pane of System Preferences). One should be a general user ("jane" in this example), the other an administrator ("karen" in this example).
2. Turn on "Windows File Sharing" in the "Sharing" Preference Pane of System Preferences, if it is not already on.
3. Note the address to access jane's home folder, which is specifically mentioned in the Sharing Preference Pane. This will be in the format \hostnamejane where "hostname" is the currently assigned hostname or IP address.
4. On a Windows XP machine (with network access to the Mac, of course), open a new Explorer window.
5. In the address bar or location field (I'm not sure the correct term to use), type the address noted in step 3: \hostnamejane. A dialog box will open, asking for the username and password. Enter "jane", and her user password.
6. Verify that you can navigate through jane's home folder.
7. In the address bar, type the address noted in step 3, replacing the username with that of the administrator configured in step 1: \hostnamekaren.

The result is that a username and password dialog box is not displayed. Access to "karen's" (in Miller's example, an administrator) files are granted to the Windows XP machine. Jordan writes:

"The few Windows XP machines which I used to test this gave identical results."

Resources