October 10, 2000
Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed.
Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.
The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes.
The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.
Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.
Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
Microsoft has released the following patches which eliminate the vulnerability (the Window 95 patch will be out shortly):
Discovered by the Nsfocus Security Team and publicized in a Microsoft Security Bulletin (MS00-072) on October 10, 2000.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.