[12386] in bugtraq
Fwd: Caching of passwords revealed after installing SP6
daemon@ATHENA.MIT.EDU (Eric Schultze)
Mon Nov 1 16:09:21 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Message-Id: <4.2.1.19991031142422.00ade850@mail.garden.net>
Date: Sun, 31 Oct 1999 14:24:37 -0800
Reply-To: Eric Schultze <ews@TELLURIAN.NET>
From: Eric Schultze <ews@TELLURIAN.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
>Approved-By: mark@NTSHOP.NET
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Date: Sun, 31 Oct 1999 17:00:43 -0500
>Reply-To: Technical discussions regarding security bugs that pertain
>to Microsoft networks <WIN2KSECADVICE@LISTSERV.NTSECURITY.NET>
>From: "Noël, Richard" <noel@WANG.COM>
>Subject: Caching of passwords revealed after installing SP6
>To: WIN2KSECADVICE@LISTSERV.NTSECURITY.NET
>
>I found something disturbing today. I installed SP6 on an NT4 SP5 server
>that I've been using as a PPTP client for the past couple of years. After
>installing SP6, I found that the setting for saving passwords for at least
>PPTP dial-up has been enabled which is a feature I never, never use. While
>this is bad, the disturbing part revealed by installing SP6 is that even
>though I never used the "Save password" feature with PPTP, my password was
>in fact being cached. I know this because the first four PPTP dial-up
>connections I tried (i.e. four different PPTP servers) all immediately
>connected and authenticated without prompting me for credentials. Two
>others failed to connect immediately because the cached password did not
>match the current password for my domain account.
>
>If any of you get a chance, could you pls verify this behavior.
>
>Thanks,
>Richard
