win95 share attack ... ;)

Richard Sharpe sharpe at ns.aus.com
Mon Oct 16 05:34:07 GMT 2000


At 03:02 PM 10/16/00 +1000, Andrew Tridgell wrote:
>> > It also only appears to affect plain text passwords, no longer the
default.
>
>but the client chooses whether the password is encrypted or not. Thats
>why the exploit just sets c->sec_mode=0 and gets away with
>it. Encrypted servers accept plain text passwords if the client
>chooses to send them.
>
>This means that all current Win9X boxes are vulnerable, whether or not
>the plain text is enabled.
>
>> > Since this is mainly a server side concern, are any versions of SAMBA
SMBD
>> > vulnerable to it?
>> 
>> 	We do support 9x, so I'd bet as much as $.05 we are (;-))
>
>nope, no versions of smbd are vulnerable to this attack!
>
>The reason this vulnerability is of concern is that you can do the
>following:
>
>1) use the attack to not just login, but determine the real password
>   (that requires a trivial change to the posted exploit)

Hmmm, but isn't this the share password you have determined, if one exists?

>2) once connected you could download the PWL files on the box.
>
>3) with those PWL files you can find the passwords on any server that
>   box connects to (they are encrypted using the users password, which
>   you have now determined).

But isn't the user's password different to the share password you may have
cracked above?

>That means your server (whether NT or Samba) could be compromised via
>this hole.
>
>That's why you should not make the mistake of thinking that this
>vulnerability doesn't matter.
>
>Cheers, Tridge
>
>

Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba






More information about the samba-technical mailing list