Article 32788 of alt.security: Path: nntpd.lkg.dec.com!crl.dec.com!pa.dec.com!decuac.dec.com!haven.umd.edu!news.umbc.edu!eff!usenet.ins.cwru.edu!magnus.acs.ohio-state.edu!csn!gw1.att.com!gw2.att.com!news.midplains.net!chi-news.cic.net!news.math.psu.edu!news.cac.psu.edu!newsserver.jvnc.net!newsserver2.jvnc.net!howland.reston.ans.net!swrinde!sdd.hp.com!hplabs!unix.sri.com!news.Stanford.EDU!Networking.Stanford.EDU!llurch From: Rich Graves Newsgroups: comp.security.misc,comp.os.ms-windows.win95.misc,comp.os.ms-windows.nt.admin.networking,alt.security Subject: Re: Cracked: WINDOWS.PWL [most services accessed by any version of Microsoft Windows] Date: Tue, 5 Dec 1995 19:37:50 -0800 Organization: Stanford University Lines: 120 Message-ID: NNTP-Posting-Host: networking.stanford.edu Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII To: Bugtraq List In-Reply-To: X-PGP-key: finger llurch@mordor.stanford.edu Xref: nntpd.lkg.dec.com comp.security.misc:24404 comp.os.ms-windows.win95.misc:68482 comp.os.ms-windows.nt.admin.networking:4270 alt.security:32788 -----BEGIN PGP SIGNED MESSAGE----- [Reply to BUGTRAQ, Bcc'd to a local list.] On Tue, 5 Dec 1995, Michael S. Fischer wrote: > I don't know if this is suitable for inclusion on Bugtraq, but it's quite > scary if the implications are as described... > > >---------- Forwarded message ---------- > >Date: Mon, 4 Dec 1995 19:06:12 +0100 > >From: Tatu Ylonen > >To: ssh@clinet.fi > >Subject: FWD from Frank Andrew Stevenson: Cracked: WINDOWS.PWL > > > >I am sorry to send noise to the list; this deals with Windows95 but is > >quite relevant to many Unix administrators as well. This is not > >related to ssh. The ssh list is not intended for this kind of stuff, > >so please don't do what I am doing now. > > > >Basically, you should be aware that if you ever mount disks from Unix > >machines to Windows95 machines, the passwords of the unix machine (or > >your other file servers) will be stored on the Windows machine's disk > >essentially in the plain, and any 10-year computer-literate kid with a > >little knowledge will be able to retrieve them in seconds if he gets > >access to client machine. [Quoted message, complete with source code, deleted. See sci.crypt or the cypherpunks archives.] Well, the Win95 SMB security bug was discussed here, so I think this is at least as relevant. Win95 (and Windows for Workgroups; this might also apply to NT) will indeed save passwords for Samba servers running on UNIX machines, NetWare servers on UNIXWare machines, and UNIX SLIP/PPP servers. It will save them in weakly encrypted .PWL files. According to article <4a2bij$ma6@wizard.uark.edu> in comp.security.misc, a decent machine can crack .PWL files in less than one second. Bugs have been reported (but not confirmed) that might under some circumstances cause Win95 to save .PWL files totally unencryted. Microsoft encourages developers to use the .PWL architecture, so other network operating systems and "security tools" are also likely to use the .PWL file, if not now, then in the future. I don't believe this applies to the current versions of PC/NFS or other Win95-enabled NFS clients; I would think that the TGV and B&WS guys would be smarter than that, but confirmation of this point would be appreciated. .PWL files for any user of the Win95 machine can be picked up by anyone with physical access to the machine, or by anyone with network access to the C:\WINDOWS directory on the machine. If the recently posted file sharing patches are not installed (and currently, they are only available for the US-English version of Win95, despite assurances from the Win95 product manager that international versions would be available over a week ago), and if file sharing for any subdirectory of the machine is enabled, then anyone within your firewall (if any) and with knowledge of even the Win95 machine's most restrictive sharing or administrator password (if any; passwordless guest access will work if it's enabled) can get read access to *any* directory starting from root, including C:\WINDOWS\*.PWL. The solution is to disable "password caching" entirely and to delete C:\WINDOWS\*.PWL on any machine that is not physically and network-secured. Ideally, one would disable the supposed "user profiles" feature of Win95 entirely, and present it as the totally insecure single-user client operating system it is, so as to avoid the risks associated with a false sense of security. To fix this for Windows for Workgroups, insert "passwordcaching=no" into the [NETWORK] section of SYSTEM.INI [Credit Jim Carlson]. To disable "password caching" on Win95, you could run PolEdit [Credit Don Edwards], but IMO this is a bad idea, because ways have been published to disable "Policies," which users might want to do for other reasons. The better alternative is to create the following undocumented Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ Network\DisablePwdCaching This gets a binary value of 1 [Credit Malcolm G. Miles]. Of course you'd have to check from time to time to ensure that some malicious user had not turned this switch back off, because there is no way to protect the Registry that cannot be overcome in two minutes. When it rains it pours... Maybe security-conscious sites would write login scripts to delete .PWL files that are larger than they should be? Could some Registry-savvy individual post a Registry script to do this from the DOS command line or in a login script? For full credits and further discussion, see the list archive at gopher://quixote.stanford.edu/1m/win95netbugs (a poor old NeXT; be gentle). - -rich llurch@networking.stanford.edu moderator of the win95netbugs list http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html (No, the faq has not been substantially touched since October 10... any volunteers?) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMMUO3I3DXUbM57SdAQEu3gP/dz30ZFqFP+P3A+9wTdn6ns1pW+6jZaIm h/x8xbJLDw86EDkzTK8Li8ajSQtXv1FrJZbZjlaTle74+p8iUg1KEUm+TyUtnhsD s+8Z0cQZ8qU5N5mbUZJrkmbviCbPVGBelussXx/yafJQfEESmpewVUNVcl3cf7jn S7YLkwoLfzo= =eS5G -----END PGP SIGNATURE-----