DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  Password caching


SYSTEMS AFFECTED

  Win 95, WfW

  

PROBLEM


    This  text  is  taken  from  the  "Hack Microsoft" Web Site and is

    writen By Frank Andrew Stevenson and Peter Gutmann



    By  default,  Windows  95  and  Windows for Workgroups implement a

    "password caching feature" whereby  the passwords for all  network

    services (NetWare, NT, Samba, SLIP/PPP service) are  automatically

    and permanently stored in C:\WINDOWS\<USERNAME>.PWL.  Microsoft

    claims they are encrypted securely.



    Peter determined  that the  Windows PWL  encryption algorithm  was

    incredibly  insecure.  Frank  wrote  a  program  to break the .PWL

    files in Windows. (More  details are forthcoming, a  draft version

    is available currently.) Source  code and a Windows  NT executable

    for  the  exploit  program  are  available. In effect, anyone with

    physical or network access to a Windows machine has access to  all

    network passwords used by all users of that machine.



    Late afternoon  December 14th,  Microsoft released  an alleged fix

    for the  problem, which  is supposed  to make  passwords harder to

    find, but  it has  not been  reviewed by  outside experts,  and it

    doesn't even come with  a ReadMe file. Unlike  Netscape, Microsoft

    has not published its encryption algorithm for the customary  peer

    review.  Until  they do, we  recommend disabling password  caching

    and user profiles.



    Peter  wrote  this  modest  trojan  horse demonstration, mail.zip.

    Invoke  it  as  mail  hackmsoft@c2.org  (or  whatever  address you

    consider appropriate) on any  Windows for Workgroups machine  with

    a TCP/IP  connection and  it will  send you  (or anyone  else) the

    first password cached on your machine, unencrypted.



    Note  that  this  hack  does  not  contain any decryption code; it

    merely uses the  WNetGetCachedPassword() call, which  is available

    to  any  program.  Proper  security  architectures,  such  as  the

    corresponding subsystem in Windows  NT, have an internal  security

    perimeter to prevent this kind  of thing. This quick hack  doesn't

    support MX  aliasing, so  you might  need to  point it directly at

    your SMTP server.   Because some network calls  do not seem to  be

    supported in Windows  95, this program  currently only works  with

    WFW (but this  is only a  minor implementation issue,  which could

    be fixed).



    "Disabling  password  caching"  does  not  completely address this

    vulnerability, because  passwords are  still stored  in memory  to

    facilitate the "automatic reconnect" feature, which is designed to

    maintain connections through  laptop "suspend" mode  and temporary

    network  problems.  Neither  is  the  alleged  fix  for Windows 95

    (above) relevant.





EXPLOIT

  

SOLUTION


    Don't allow your network administrators to log on to  workstations

    with the "administrator" account under any circumstances. When you

    log on to a standard  Windows workstation, you user passwords  are

    cached -- unless this feature has been disable.



    Thanks to Jim Carlson for contributing this WfW semi-fix:

    To turn off password caching for Windows for Workgroups, add the

    following to your \WINDOWS\SYSTEM.INI file:



        [NETWORK]

        passwordcaching=no



    Thanks to Malcolm Miles for contributing this Win95 semi-fix:

    To  turn  off  password  caching  for  Win95,  you  can use Policy

    Editor,  or  edit  the  following  Registry  entry  directly  with

    REGEDIT.EXE:



        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

        Set the value to a binary value of 1.