MS Windows 95/98/Me shares flaw
This is description of a flaw in the share level password authentication
of Microsoft Windows 95/98/Me in its CIFS protocol.
You can find the password of a given share on the machine with
MS Windows 95/98/Me operating system. There is a flaw in these operating
system ( it was found by nsfocus ) in which windows
verifies passwords based on the client supplied password length rather
than the server's. In normal way, password should be null terminated
string. When you send connection request, you provide such string
and unsigned integer with its length + 1. However, you can provide
password as string without null at the end, and unsigned integer
with its length. In the last case, windows will compare only starting
characters of a password, and you will receive "connection successful"
confirmation. So, you can find password using the following scheme:
start: password = "" ( empty string )
initialize charset for finding password
cycle: if there are no more characters for finding password in our charset, go to failed
character = next character from charset
p1 = p + character
if p1 is equal to strlen(p1) characters of a password, go to checkforfinish else go to cycle
checkforfinish: if we found password ( check by sending it in normal way ), go to finish else go to continue
continue: p = p1
reinitialize charset for finding password
go to cycle
finish: password is found!!!
failed: password is not found...
Press here to download source code of an example called "PassRes" which implements this algorithm.
Example is written using Microsoft Visual C++ 6.0 and MFC. Here is a description of some files in this
example:
respass.cpp - file with definition of a function which implements this algorithm
respass.h - file with functions definitions from respass.cpp
protocol.h - file with some structures which implements different protocols
How to protect?
MicroSoft has made a patch available here:
http://www.microsoft.com/technet/security/bulletin/fq00-072.asp
Nickolsky Artyom, 2001