[8242] in bugtraq
13 tiny bytes to show the huge sillyness of our great common
daemon@ATHENA.MIT.EDU (bt398)
Wed Oct 21 22:39:49 1998
Date: Wed, 21 Oct 1998 23:07:44 +0100
Reply-To: bt398 <bt398#@SOTON.AC.UK>
From: bt398 <bt398#@SOTON.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
------=_NextPart_000_01BDFD47.9C3B9DE0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Lately, I've been playing a bit with net.exe program
(\windows\net.exe). With this program, a user can set up the network
drivers (Windows For Workgroup protocol); moreover, a user can log in (open
a wfw session) and also change his password. As this program runs on DOS,
I've been wondering how next.exe was retrieving the password of the user;
as no DLL calls to undocumented functions are possible, only a call to a
special interrupt/function should be used.
Then, tracing through the code, I've found a rather interesting feature.
When a user changes its password, net.exe accesses to the old password
using the multiplex interrupt 2fh (or so-called software interrupt) with
function 11h (sub function 84h). I suppose that function 11XX, int 2fh is
installed by the windows kernel so that it can exchange data (WFW infos)
with a DOS program. Well, so you would say that this function requires as
input the password and returns an error if the password is bad.. but, no..
Microsoft did it the other way. The function returns the uncrypted password
to a buffer (... no comment).
Indeed, this is not _big_ deal but if a user has access to your computer
after you logged then he can easily retrieve your password.. And I am sure
that a lot of people uses the same password for their mail and their
windows password (so it is somewhat a security problem). I attached a small
program that prompts the password of the user (you must have logged in
first); this only work on Windows for Workgroup 3.11 and Windows 95
(Windows 98 and Windows NT are not affected -hopefully-).
But I wouldn't be surprised if Win98 has an undocumented function that
returns the password of the user (I wouldn't bet that about NT though.)
fix : well, I didn't find anything .. except that this code :
mov ax, 1184h
mov bx, 0dh
xor cx, cx
int 2fh
seems to disable the password caching feature.
ga
------=_NextPart_000_01BDFD47.9C3B9DE0
Content-Type: application/octet-stream; name="Cachepig.zip"
Content-Transfer-Encoding: base64
Content-Description: Cachepig.zip (ZIP File)
Content-Disposition: attachment; filename="Cachepig.zip"
UEsDBBQAAAAIAAiLVSWmFN1EjQIAAB0IAAAMAAAAQ0FDSEVQSUcuQVNNtVVha9swEP0eyH+4b9lo
EuzUC1uyjkE7xtiybJTBYIwiW2dbVJaMpazOv5+kxHZii1LK5gQ7ku893buTXtbwFbVKSImQSQ06
R0hIkiOFRD7M56AkbFhSSSVT3Y8oWTYfj9bm62aYyKAkSj3IigITUGAhqz0wBcLgiEFLauA2TEug
El4oTHYV03vQhN+b+ZerI11zFfKPuZN6CmH4OsrbeVjDJVwMI2M+hQBP4mzkwheZGM4g7UV6OSmb
AhHqrpXmiWRCm/vinK9Z/QrCS4j3GlVTLFmUjCOsQBBVwCyF2JRrJg91tVU1Ed3AxIxH9hMzrSBc
wlOvNSyjAD7HQCitUClb+UJSHI9klQEEdRgET2VyzZOcwvx6u4HUpG8zutneAnz4/gMWYT4ebb59
+XkYDQvhZy12XLOSY20raAkVJppJAXONtZs474XphulbTITAqnt3TTi3zxumSk72PpjbGK9yD9+x
u6az91kld+WQ9iPqu08ilcqPVrryoU8TpmzIuiH3eHernyHj8hEZXGZMPEtCD/n/0sdH0m/O2LMU
DMH/XASpp9F1EJwosCf/ZnvrDsMBsxquT3Kj+00P5ZaxyGayQrfjm6ROeBLuEWUdLFxcLKNZ1L2s
ZXVY0VSa8FPuUqB5qoSo2FMgZ2y/UK0om4W/TbbBIgpIQE9yPqbXNsKnszFqf7Y9v+15wVbwPQhE
ihRSIyPmV2d7pamZc5lHXYXpiYKC1MBRZDoHmcJwbxzltIZDiSbOZJ25NFE0hkljxDCDjMBbuhMJ
Ee+LfUY4zmWVvZsYadS22PW5/bWwdThzB0fXjVYwGY/OzAc0K1DBMrKRwRHuTmabTTdq4d2UD979
b1l4N2rh3VQf/hdQSwMEFAAAAAgAjopVJYqzpGPAAAAAbgEAAAwAAABDQUNIRVBJRy5DT02tjjGK
wkAYRv9xSaEQxc5ysogWYhTsggSbhS3WQwxJHIMxExKC2NvoATyGTbbQbWYhhVVaD2D115YiaHKG
+MoH3+P7swmakChyT3AKcke2dxwB9iD5kFeCBshLoShgC5K61CvYBflZyZUKqMARfjLtt5pp6eP0
DcP/26EzO3891Vob0uOmeWpANkgtZs2dwOW0TzmjYzv2LeZPlmvOPEcXITfVWj5YiXDBQxEH1KBQ
Ek9w16cF5VsBi6L8m/2O1gtQSwECFAAUAAAACAAIi1UlphTdRI0CAAAdCAAADAAAAAAAAAABACAA
AAAAAAAAQ0FDSEVQSUcuQVNNUEsBAhQAFAAAAAgAjopVJYqzpGPAAAAAbgEAAAwAAAAAAAAAAQAg
AAAAtwIAAENBQ0hFUElHLkNPTVBLBQYAAAAAAgACAHQAAAChAwAAAAA=
------=_NextPart_000_01BDFD47.9C3B9DE0--