win95 share attack ... ;)

Andrew Tridgell tridge at linuxcare.com
Mon Oct 16 05:02:49 GMT 2000


> > It also only appears to affect plain text passwords, no longer the default.

but the client chooses whether the password is encrypted or not. Thats
why the exploit just sets c->sec_mode=0 and gets away with
it. Encrypted servers accept plain text passwords if the client
chooses to send them.

This means that all current Win9X boxes are vulnerable, whether or not
the plain text is enabled.

> > Since this is mainly a server side concern, are any versions of SAMBA SMBD
> > vulnerable to it?
> 
> 	We do support 9x, so I'd bet as much as $.05 we are (;-))

nope, no versions of smbd are vulnerable to this attack!

The reason this vulnerability is of concern is that you can do the
following:

1) use the attack to not just login, but determine the real password
   (that requires a trivial change to the posted exploit)

2) once connected you could download the PWL files on the box.

3) with those PWL files you can find the passwords on any server that
   box connects to (they are encrypted using the users password, which
   you have now determined).

That means your server (whether NT or Samba) could be compromised via
this hole.

That's why you should not make the mistake of thinking that this
vulnerability doesn't matter.

Cheers, Tridge




More information about the samba-technical mailing list