[4183] in bugtraq
Exploit for MSIE on Win95
daemon@ATHENA.MIT.EDU (Steve Birnbaum)
Mon Mar 17 22:15:13 1997
Date: Tue, 18 Mar 1997 04:25:53 +0200
Reply-To: Steve Birnbaum <sbirn@NETMEDIA.NET.IL>
From: Steve Birnbaum <sbirn@NETMEDIA.NET.IL>
To: BUGTRAQ@NETSPACE.ORG
See http://www.security.org.il/msnetbreak/ for more details.
What's new
It is possible from anywhere on the Internet to obtain the cleartext
Windows 95 login password from a Windows 95 computer on a network
connected directly to the Internet given only the IP address and the
workgroup and leave no trace of your actions. It is untested and may
work with Windows For Workgroups as well.
Description
There has been recent discussion on security mailing lists concerning
the fact that Microsoft Internet Explorer running on Windows NT will
automatically try to log in to a remote SMB server (file server)
without prompting the user or without the user's knowledge. By design,
the NT machine will transmit to this remote server the encrypted
password and username of the user. This is documented by Aaron
Spangler. The caveats with this are that the passwords are encrypted
and that in many cases people do not use WWW browsers from NT servers,
but rather from computers running Windows 95.
It has been explained that this same exploit does not work against
Windows 95 because Windows 95 is only capable of accessing SMB shares
(file sharing) if they are:
* Connected to the same subnet.
* In the Windows 95 computer's LMHOSTS file on startup
* Announced to the Windows 95 computer by a Master Browser
It is this third and final condition that can be taken advantage of to
obtain the cleartext password and username of any Windows 95 user who
uses Microsoft Internet Explorer. Even careless use of Microsoft
Network Neighborhood can exploit this hole without the requirement for
Internet Explorer The requirements are knowledge of the user's IP
address, workgroup name and that they access a hostile web page. The
first two are not difficult to obtain and the third does not have to
be an obscure page. In the last 6 months sites such as the CIA have
been broken into. All it would require is that one un-noticeable line
be added to the home page. Since the viewable content of the page has
not been altered, such a change can go unnoticed for a long time.
--
Steve Birnbaum - System Administrator, NetMedia. Jerusalem, Israel.
sbirn@netmedia.net.il Phone: +972-2-6795860 --Standard Disclaimer--
sbirn@security.org.il http://www.vix.com/spam/ (PGP key available)
