'Re: Cracked: WINDOWS.PWL [most services accessed by any version'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Cracked: WINDOWS.PWL [most services accessed by any version
From:       Rich Graves <llurch () networking ! stanford ! edu>
Date:       1995-12-05 19:37:50
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

[Reply to BUGTRAQ, Bcc'd to a local list.]

On Tue, 5 Dec 1995, Michael S. Fischer wrote:

> I don't know if this is suitable for inclusion on Bugtraq, but it's quite
> scary if the implications are as described...
>
> >---------- Forwarded message ----------
> >Date: Mon, 4 Dec 1995 19:06:12 +0100
> >From: Tatu Ylonen <ylo@cs.hut.fi>
> >To: ssh@clinet.fi
> >Subject: FWD from Frank Andrew Stevenson: Cracked: WINDOWS.PWL
> >
> >I am sorry to send noise to the list; this deals with Windows95 but is
> >quite relevant to many Unix administrators as well.  This is not
> >related to ssh.  The ssh list is not intended for this kind of stuff,
> >so please don't do what I am doing now.
> >
> >Basically, you should be aware that if you ever mount disks from Unix
> >machines to Windows95 machines, the passwords of the unix machine (or
> >your other file servers) will be stored on the Windows machine's disk
> >essentially in the plain, and any 10-year computer-literate kid with a
> >little knowledge will be able to retrieve them in seconds if he gets
> >access to client machine.

[Quoted message, complete with source code, deleted. See sci.crypt or the
cypherpunks archives.]

Well, the Win95 SMB security bug was discussed here, so I think this is
at least as relevant.

Win95 (and Windows for Workgroups; this might also apply to NT) will
indeed save passwords for Samba servers running on UNIX machines, NetWare
servers on UNIXWare machines, and UNIX SLIP/PPP servers.

It will save them in weakly encrypted .PWL files. According to article
<4a2bij$ma6@wizard.uark.edu> in comp.security.misc, a decent machine can
crack .PWL files in less than one second.

Bugs have been reported (but not confirmed) that might under some
circumstances cause Win95 to save .PWL files totally unencryted.

Microsoft encourages developers to use the .PWL architecture, so other
network operating systems and "security tools" are also likely to use the
.PWL file, if not now, then in the future.

I don't believe this applies to the current versions of PC/NFS or other
Win95-enabled NFS clients; I would think that the TGV and B&WS guys would
be smarter than that, but confirmation of this point would be appreciated.

.PWL files for any user of the Win95 machine can be picked up by anyone
with physical access to the machine, or by anyone with network access to
the C:\WINDOWS directory on the machine.

If the recently posted file sharing patches are not installed (and
currently, they are only available for the US-English version of Win95,
despite assurances from the Win95 product manager that international
versions would be available over a week ago), and if file sharing for any
subdirectory of the machine is enabled, then anyone within your firewall
(if any) and with knowledge of even the Win95 machine's most restrictive
sharing or administrator password (if any; passwordless guest access will
work if it's enabled) can get read access to *any* directory starting from
root, including C:\WINDOWS\*.PWL.

The solution is to disable "password caching" entirely and to delete
C:\WINDOWS\*.PWL on any machine that is not physically and
network-secured.  Ideally, one would disable the supposed "user profiles"
feature of Win95 entirely, and present it as the totally insecure
single-user client
operating system it is, so as to avoid the risks associated with a false
sense of security.

To fix this for Windows for Workgroups, insert "passwordcaching=no" into
the [NETWORK] section of SYSTEM.INI [Credit Jim Carlson].

To disable "password caching" on Win95, you could run PolEdit [Credit Don
Edwards], but IMO this is a bad idea, because ways have been published to
disable "Policies,"  which users might want to do for other reasons.

The better alternative is to create the following undocumented Registry
entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
  Network\DisablePwdCaching

This gets a binary value of 1 [Credit Malcolm G. Miles].

Of course you'd have to check from time to time to ensure that some
malicious user had not turned this switch back off, because there is no
way to protect the Registry that cannot be overcome in two minutes. When
it rains it pours...

Maybe security-conscious sites would write login scripts to delete .PWL
files that are larger than they should be?

Could some Registry-savvy individual post a Registry script to do this
from the DOS command line or in a login script?

For full credits and further discussion, see the list archive at
gopher://quixote.stanford.edu/1m/win95netbugs (a poor old NeXT; be
gentle).

- -rich
 llurch@networking.stanford.edu
 moderator of the win95netbugs list
 http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html
 (No, the faq has not been substantially touched since October 10...
 any volunteers?)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMMUO3I3DXUbM57SdAQEu3gP/dz30ZFqFP+P3A+9wTdn6ns1pW+6jZaIm
h/x8xbJLDw86EDkzTK8Li8ajSQtXv1FrJZbZjlaTle74+p8iUg1KEUm+TyUtnhsD
s+8Z0cQZ8qU5N5mbUZJrkmbviCbPVGBelussXx/yafJQfEESmpewVUNVcl3cf7jn
S7YLkwoLfzo=
=eS5G
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic