Page 1 of 2 12 LastLast
  1.    4 Weeks Ago #1
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 380
    Win10 x64 Pro -2 desktops, 1 laptop

    SMB exploitable by malware?


    I have some backup software that takes backups to a non-mapped NAS share. While a backup is running the cmdlet Get-SmbConnection shows
    Code:
    ServerName ShareName UserName             Credential           Dialect NumOpens
    ---------- --------- --------             ----------           ------- --------
    MYBOOKLIVE Public    PUGET-116877\Patrick PUGET-116877\Patrick 2.0.2   1
    WDMyCloud  IPC$      NT AUTHORITY\SYSTEM  NT AUTHORITY\private 3.1.1   1
    WDMyCloud  private   NT AUTHORITY\SYSTEM  NT AUTHORITY\private 3.1.1   1
    Does that mean that any malware that manages to run under NT AUTHORITY\SYSTEM has access to the data on the WDMyCloud\private share without having to know the share's credentials? The connection ends when the backup is done but the backup can take hours so any exposure that exists is there for quite a while.
      My ComputerSystem Spec
  2.    4 Weeks Ago #2

    SMB1 was exploitable yes but all versions of windows were quickly patched or were patched prior to the news breaking. I have set my Cloud MIrror to use SMB 3, so change it in settings.
      My ComputersSystem Spec
  3.    4 Weeks Ago #3
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 380
    Win10 x64 Pro -2 desktops, 1 laptop
    Thread Starter

    Maybe you answered this and I just didn't understand (because I don't know much about SMB) but my specific question was whether any process running under NT AUTHORITY\SYSTEM had open access to the share while that backup was running. I thought that once a user/server pair was authenticated any number SMB connections could be opened without re-authentication between that userid and that server. I would love to hear I am wrong. (I apologize if you already told me I'm wrong but I didn't understand.)
      My ComputerSystem Spec
  4.    4 Weeks Ago #4
    Join Date : May 2015
    Central IL
    Posts : 4,207
    Mac OS Sierra

    Everything that is created by humans can be exploited. Just make sure that your system is updated, be aware of what websites you go to, do not open emails from unknown senders, especially attachments and keep a good system protection. NT Authority/System has to do with Kerberos. Nothing has open access to anything if the system is not allowed to just run on its own and do things that it is not supposed to.

    For every time some exploit gets published about in media and spread through rumors, so many of us would be rich beyond our dreams.
      My ComputerSystem Spec
  5.    4 Weeks Ago #5
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 380
    Win10 x64 Pro -2 desktops, 1 laptop
    Thread Starter

    Quote Originally Posted by bro67 View Post
    Everything that is created by humans can be exploited. Just make sure that your system is updated, be aware of what websites you go to, do not open emails from unknown senders, especially attachments and keep a good system protection. NT Authority/System has to do with Kerberos. Nothing has open access to anything if the system is not allowed to just run on its own and do things that it is not supposed to. For every time some exploit gets published about in media and spread through rumors, so many of us would be rich beyond our dreams.
    I don't disagree with anything you said, but that doesn't answer my question. I think I'm fairly careful but I know I slip up some times. I'm trying to determine if I've found a vulnerability that I (and others) need to avoid. Assume I have backup software that runs under NT AUTHORITY\SYSTEM - SID(s-1-5-18) - and writes to private share on a NAS. (It's a safe assumption. I do.) Assume that the share is not mapped to any drive letter in Windows and that nothing but the backup software has the appropriate credentials to access this share. And assume the backup takes hours to complete. So Windows creates an SMB connection between user s-1-5-18 and the NAS SMB server. If I understand SMB correctly (And I really hope I don't!) any task running under s-1-5-18 can open a new connection to that share without giving the credentials as long as that original connection is open. Is that correct? If so, malware could delete, rename, encrypt, or otherwise mess with files on that share as long as the backup is running if the malware is running under s-1-5-18. And there are a number of web pages explaining how to schedule tasks under NT AUTHORITY\SYSTEM. My hope is that someone will tell me I'm wrong.
      My ComputerSystem Spec
  6.    4 Weeks Ago #6
    Join Date : May 2015
    Central IL
    Posts : 4,207
    Mac OS Sierra

    So do you have a problem with your machine or are you just asking about a process. If you want to know more, I would suggest going to Microsoft's Technet website for that information if you want to know more. Nothing should be asking NT Authority System for anything through a website, unless you have saved a login for Kerberos.
      My ComputerSystem Spec
  7.    4 Weeks Ago #7
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 380
    Win10 x64 Pro -2 desktops, 1 laptop
    Thread Starter

    No,I have no problem (that I know of). I just happen to have a (valid) service running under that id that opens a a long lived SMB connection with a NAS server. I would like to keep that share isolated from other Windows tasks but I believe any task running under that id has access to the share without having to provide access credentials. I see that as something malware could exploit.

    I found the following description of NT Authority\SYSTEM (at least for Win7):
    NT Authority\SYSTEM a.k.a LocalSystem account is a built-in Windows Account. It is the most powerful account on a Windows local instance (More powerful than any admin account).

    Most of the System level (Windows Services) services and some other 3rd party services run in the account.

    Sounds to me like it's a lot more than just related to Kerberos.
      My ComputerSystem Spec
  8.    4 Weeks Ago #8
    Join Date : May 2015
    Central IL
    Posts : 4,207
    Mac OS Sierra

    You are going to see that with SaMBa/CIFS/Kerberos. Nothing unusual about that when you actually look at what it is doing on the network at any given time. If you shut off those items that you do not need, such as backups, network shares, user accounts, you would not see as many and you would break the OS.
      My ComputerSystem Spec
  9.    4 Weeks Ago #9
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 380
    Win10 x64 Pro -2 desktops, 1 laptop
    Thread Starter

    Good heavens. I think you completely misunderstand what I am trying to ask. I was trying to understand if SMB opened a path exploitable by malware. And the answer seems to be "Yes". On another forum - the Acronis True Image forum - a person was able to run a simple PowerShell script to delete files on a share while a backup (running under NT Authority\SYSTEM) was in progress. If the backup was not running the script got a prompt for credentials. This has been reported to Acronis but is probably an exposure of any product that takes scheduled backups to a NAS.

    I'm not thinking about shutting anything off. I am considering not using SMB to communicate with any NAS that I want completely isolated from possible malware running on Windows. My original plan was to use FTP and I'm back to considering that.

    BTW, where did you find reference to Kerberos relating to NT Authority\SYSTEM? I found reference to SQL and a number of non-network uses but have not found any reference to Kerberos.
      My ComputerSystem Spec
  10.    4 Weeks Ago #10
    Join Date : May 2015
    Central IL
    Posts : 4,207
    Mac OS Sierra

    No one misunderstands what you are trying to state, other than you think that this is suddenly new and do not have any questions that need to be answered. Anything that has been created by man can be exploited. If there is no question for a problem, then you have been told how to find further information on Microsoft's Technet website.
      My ComputerSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Every...i mean every anti malware blocked by unknown malware/virus
i have looked up this issue and apparently this must be a new one since there is no solution what so ever, even the hidden admin account is defenseless, here is what's going on 1. the PC got infected on windows defenders watch, the infection...
AntiVirus, Firewalls and System Security
Is this a malware
I am having real problems posting in here as in the post disappearing suddenly and I am also getting this pop up see pic have checked with Google and cannot get any firm ideas.
AntiVirus, Firewalls and System Security
malware
I do not understand what to do with Wise Uninstaller as a result of a scan with AdwCleaner. Please see attachment. I notice another file flagged but do not recognize it. I use Revo in conjunction with Wise because you can type a program not...
AntiVirus, Firewalls and System Security
Solved Malware on start up
Hello Guys and gals :), its been a while since i have been here , i have unknowingly installed a piece of malware / spyware, i have tried all the known removal process, and still unsuccessful i do have a backup of the C:\ folder. under the c:\...
AntiVirus, Firewalls and System Security
Solved Browser Malware Etc
A while back I commented on browsers, namely firefox, adding malware to their product. I was told basically that this was impossible if I got it from source, which I always do. I meant to produce some visual evidence but a bad memory let time...
Browsers and Email
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 09:15.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums