Bugtraq mailing list archives
Re: NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password verification vulnerability
From: "Guenther H. Leber" <gleber () GAMS AT>
Date: Tue, 17 Oct 2000 00:37:56 +0200
On Thu, Oct 12, 2000 at 11:25:24AM +0800, Nsfocus Security Team wrote: [...]
server. That is, if a client set the length of password to be one byte and send the packet with plaintext password to server, the server will only compare it with the first byte of the shared password(plaintext), and if consistent, verification process is done. All an attacker need to do is to guess and try the first byte of password in the victim .
[...] This flaw can also easily be used the recover the entire password. When the first character is found disconnect the share and proceed with the next character(s), by providing a password with the known character(s) fixed and varying the last one (with an appropriate length parameter). Apply this until character '\0' matches, then you have the entire password. And this will give you the password with at most 256*16 (=4096) tries (assuming the maximum length of the password is 16 characters and there are 256 valid characters) instead of 256^16. -Günther -- GünthER H. Leber @ home PGP KeyID: 1024/68279259 PGP Public Key: https://www.luga.at/pgppubkeys/68279259.asc PGP Fingerprint: 4B 12 AD B5 4E ED AB 56 F7 3F B2 02 25 FD 95 98
Current thread:
- NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password verification vulnerability Nsfocus Security Team (Oct 13)
- Re: NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password verification vulnerability Guenther H. Leber (Oct 16)