MS Windows 95/98/Me shares flaw


This is description of a flaw in the share level password authentication of Microsoft Windows 95/98/Me in its CIFS protocol.

You can find the password of a given share on the machine with MS Windows 95/98/Me operating system. There is a flaw in these operating system ( it was found by nsfocus ) in which windows verifies passwords based on the client supplied password length rather than the server's. In normal way, password should be null terminated string. When you send connection request, you provide such string and unsigned integer with its length + 1. However, you can provide password as string without null at the end, and unsigned integer with its length. In the last case, windows will compare only starting characters of a password, and you will receive "connection successful" confirmation. So, you can find password using the following scheme:

start: password = "" ( empty string )
initialize charset for finding password

cycle: if there are no more characters for finding password in our charset, go to failed

character = next character from charset

p1 = p + character

if p1 is equal to strlen(p1) characters of a password, go to checkforfinish else go to cycle

checkforfinish: if we found password ( check by sending it in normal way ), go to finish else go to continue

continue: p = p1

reinitialize charset for finding password

go to cycle

finish: password is found!!!

failed: password is not found...

Press here to download source code of an example called "PassRes" which implements this algorithm. Example is written using Microsoft Visual C++ 6.0 and MFC. Here is a description of some files in this example:

   respass.cpp - file with definition of a function which implements this algorithm
   respass.h - file with functions definitions from respass.cpp
   protocol.h - file with some structures which implements different protocols

How to protect?
MicroSoft has made a patch available here:
http://www.microsoft.com/technet/security/bulletin/fq00-072.asp

Nickolsky Artyom, 2001

Hosted by uCoz