header-logo
Suggest Exploit
vendor:
Windows 95/98/ME
by:
SecurityFocus
7.5
CVSS
HIGH
Bypassing Share Level Access
287
CWE
Product Name: Windows 95/98/ME
Affected Version From: Windows 95
Affected Version To: Windows ME
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed

Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password. The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Mitigation:

Ensure that the password length is greater than one byte and that the password is complex and difficult to guess.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1780/info

Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed. 

Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.

The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. 

The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.

Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20283.zip

Navigation

Suggest Exploit

Services By CQR