Microsoft Windows 9x/ME - Share Level Password Bypass (1)

EDB-ID:

20283


Author:

stickler

Type:

remote


Platform:

Windows

Date:

2000-10-10


source: https://www.securityfocus.com/bid/1780/info

Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed. 

Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.

The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. 

The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.

Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20283.zip