win95 share attack ... ;)

Richard Sharpe sharpe at
Mon Oct 16 05:34:07 GMT 2000

At 03:02 PM 10/16/00 +1000, Andrew Tridgell wrote:
>> > It also only appears to affect plain text passwords, no longer the
>but the client chooses whether the password is encrypted or not. Thats
>why the exploit just sets c->sec_mode=0 and gets away with
>it. Encrypted servers accept plain text passwords if the client
>chooses to send them.
>This means that all current Win9X boxes are vulnerable, whether or not
>the plain text is enabled.
>> > Since this is mainly a server side concern, are any versions of SAMBA
>> > vulnerable to it?
>> 	We do support 9x, so I'd bet as much as $.05 we are (;-))
>nope, no versions of smbd are vulnerable to this attack!
>The reason this vulnerability is of concern is that you can do the
>1) use the attack to not just login, but determine the real password
>   (that requires a trivial change to the posted exploit)

Hmmm, but isn't this the share password you have determined, if one exists?

>2) once connected you could download the PWL files on the box.
>3) with those PWL files you can find the passwords on any server that
>   box connects to (they are encrypted using the users password, which
>   you have now determined).

But isn't the user's password different to the share password you may have
cracked above?

>That means your server (whether NT or Samba) could be compromised via
>this hole.
>That's why you should not make the mistake of thinking that this
>vulnerability doesn't matter.
>Cheers, Tridge

Richard Sharpe, sharpe at
Samba (Team member,, Ethereal (Team member,
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list