Re: NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password verification vulnerability

["Guenther H. Leber" <gleber () GAMS AT>]

On Thu, Oct 12, 2000 at 11:25:24AM +0800, Nsfocus Security Team wrote:
[...]
> server. That is, if a client set the length of password to be one byte and send
> the packet with plaintext password to server, the server will only compare it
> with the first byte of the shared password(plaintext), and if consistent,
> verification process is done. All an attacker need to do is to guess and try the
> first byte of password in the victim .
[...]

This flaw can also easily be used the recover the entire password.  When
the first character is found disconnect the share and proceed with the next
character(s), by providing a password with the known character(s) fixed and
varying the last one (with an appropriate length parameter).  Apply this
until character '\0' matches, then you have the entire password.

And this will give you the password with at most 256*16 (=4096) tries
(assuming the maximum length of the password is 16 characters and there are
256 valid characters) instead of 256^16.

-Günther
--
GünthER H. Leber @ home          PGP KeyID: 1024/68279259
PGP Public Key: https://www.luga.at/pgppubkeys/68279259.asc
PGP Fingerprint:   4B 12 AD B5 4E ED AB 56  F7 3F B2 02 25 FD 95 98