DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  SMB

SYSTEMS AFFECTED

  Win NT 3.5, 3.51, 4.0
  

PROBLEM

    Dominique  Brezinski  <dominique.brezinski@CyberSafe.COM> once
    said this on NT security mailing list:

    The  problem  is  that  almost  ALL net  aware microsoft apps will
    prompt  the  user  for  their  password  if initial authentication
    fails (in the  case of downlevel  servers this will  always happen
    if the resource is  protected) and send it  in the clear!   I just
    verified this by connecting to  a Samba server (this is  a perfect
    example of  a downlevel  server) and  attempting to  connect to  a
    share from  winfile.exe and  explorer while  sniffing the  session
    with  Network  Monitor.   The  application  pops  up  a dialog box
    asking  for  a  username  and  password  and proceeds to send this
    information in the clear to the server.

    So, no NT  does not have  access to the  user's plaintext password
    after logon (the  GINA will have  access to the  password from the
    logon dialog box and then will pass  it to LSA in the clear.   LSA
    will  pass  it  in  the  clear  to  any password change notify and
    filter DLLs  registered with  LSA and  then to  the authentication
    and subauthentication  packages which  will actually  hash it  and
    test it against the OWF  stored by SAM), but all  the applications
    will try and get the plaintext password from the user at the  drop
    of a dime.



EXPLOIT

  

SOLUTION

    It is not to difficult to trick a client into doing this, and  the
    only way  to stop  it is  inform your  users to  NEVER enter their
    password except at logon.   If they have problems connecting  to a
    service and are prompted for  their password, they should be  told
    to call the network administrator before entering it.