CVE-2000-0979
CVSS6.4
发布时间 :2000-12-19 00:00:00
修订时间 :2016-10-17 22:07:48
NMCOE    

[原文]File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.


[CNNVD]Microsoft Windows 9x共享密码校验漏洞(MS00-072)(CNNVD-200012-165)

        
        Windows 9x系统提供的文件和打印共享服务可以设置口令保护,以避免非法用户的访问。然而微软NETBIOS协议的口令校验机制存在一个严重漏洞,使得这种保护形同虚设。
        服务端在对客户端的口令进行校验时是以客户端发送的长度数据为依据的。因此,客户端在发送口令认证数据包时可以设置长度域为1, 同时发送一个字节的明文口令给服务端。服务端就会将客户端发来口令与服务端保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。因此,攻击者仅仅需要猜测共享口令的第一个字节即可。
        Microsoft Windows 9x 的远程管理也是采用的共享密码认证方式,所以也受此漏洞影响。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:996Microsoft Share Level Password Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0979
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-165
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=97147777618139&w=2
(UNKNOWN)  BUGTRAQ  20001012 NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
(VENDOR_ADVISORY)  MS  MS00-072
http://www.securityfocus.com/bid/1780
(VENDOR_ADVISORY)  BID  1780
http://xforce.iss.net/static/5395.php
(VENDOR_ADVISORY)  XF  win9x-share-level-password

- 漏洞信息

Microsoft Windows 9x共享密码校验漏洞(MS00-072)
中危 未知
2000-12-19 00:00:00 2005-10-12 00:00:00
远程  
        
        Windows 9x系统提供的文件和打印共享服务可以设置口令保护,以避免非法用户的访问。然而微软NETBIOS协议的口令校验机制存在一个严重漏洞,使得这种保护形同虚设。
        服务端在对客户端的口令进行校验时是以客户端发送的长度数据为依据的。因此,客户端在发送口令认证数据包时可以设置长度域为1, 同时发送一个字节的明文口令给服务端。服务端就会将客户端发来口令与服务端保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。因此,攻击者仅仅需要猜测共享口令的第一个字节即可。
        Microsoft Windows 9x 的远程管理也是采用的共享密码认证方式,所以也受此漏洞影响。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS00-072)以及相应补丁:
        MS00-072:Patch Available for "Share Level Password" Vulnerability
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

        补丁下载:
        Microsoft Windows 98 and 98 Second Edition
        
        http://download.microsoft.com/download/win98SE/Update/11958/W98/EN-US/273991USA8.EXE

        Microsoft Windows Me
        
        http://download.microsoft.com/download/winme/Update/11958/WinMe/EN-US/273991USAM.EXE

- 漏洞信息 (20283)

Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability (1) (EDBID:20283)
windows remote
2000-10-10 Verified
0 stickler
N/A [点击下载]
source: http://www.securityfocus.com/bid/1780/info

Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed. 

Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.

The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. 

The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.

Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.

http://www.exploit-db.com/sploits/20283.zip		

- 漏洞信息 (20284)

Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability (2) (EDBID:20284)
windows remote
2000-10-10 Verified
0 Gabriel Maggiotti
N/A [点击下载]
source: http://www.securityfocus.com/bid/1780/info
 
Share level password protection for the File and Print Sharing service in Windows 95/98/ME can be bypassed.
 
Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.
 
The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes.
 
The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.
 
Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme.
 
Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.


http://www.exploit-db.com/sploits/20284.tar.gz
		

- 漏洞信息

423
Microsoft Windows File Share Password Protection Bypass
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-10-10 Unknow
2000-10-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站