Microsoft Windows 9x共享密码校验漏洞(MS00-072)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106036 漏洞类型 未知
发布时间 2000-10-10 更新时间 2005-10-12
CVE编号 CVE-2000-0979 CNNVD-ID CNNVD-200012-165
漏洞平台 Windows CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/20283
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-165
|漏洞详情
Windows9x系统提供的文件和打印共享服务可以设置口令保护,以避免非法用户的访问。然而微软NETBIOS协议的口令校验机制存在一个严重漏洞,使得这种保护形同虚设。服务端在对客户端的口令进行校验时是以客户端发送的长度数据为依据的。因此,客户端在发送口令认证数据包时可以设置长度域为1,同时发送一个字节的明文口令给服务端。服务端就会将客户端发来口令与服务端保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。因此,攻击者仅仅需要猜测共享口令的第一个字节即可。MicrosoftWindows9x的远程管理也是采用的共享密码认证方式,所以也受此漏洞影响。
|漏洞EXP
source: http://www.securityfocus.com/bid/1780/info

Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed. 

Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.

The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. 

The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.

Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/20283.zip
|参考资料

来源:XF
名称:win9x-share-level-password
链接:http://xforce.iss.net/static/5395.php
来源:BID
名称:1780
链接:http://www.securityfocus.com/bid/1780
来源:MS
名称:MS00-072
链接:http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
来源:BUGTRAQ
名称:20001012NSFOCUSSA2000-05:MicrosoftWindows9xNETBIOSpassword
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=97147777618139&w=2
来源:USGovernmentResource:oval:org.mitre.oval:def:996
名称:oval:org.mitre.oval:def:996
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:996