Home page logo

bugtraq logo Bugtraq mailing list archives

13 tiny bytes to show the huge sillyness of our great common
From: bt398# () SOTON AC UK (bt398)
Date: Wed, 21 Oct 1998 23:07:44 +0100

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

        Lately, I've been playing a bit with net.exe program
(\windows\net.exe). With this program, a user can set up the network
drivers (Windows For Workgroup protocol); moreover, a user can log in (open
a wfw session) and also change his password. As this program runs on DOS,
I've been wondering how next.exe was retrieving the password of the user;
as no DLL calls to undocumented functions are possible, only a call to a
special interrupt/function should be used.

 Then, tracing through the code, I've found a rather interesting feature.
When a user changes its password, net.exe accesses to the old password
using the multiplex interrupt 2fh (or so-called software interrupt) with
function 11h (sub function 84h). I suppose that function 11XX, int 2fh is
installed by the windows kernel so that it can exchange data (WFW infos)
with a DOS program. Well, so you would say that this function requires as
input the password and returns an error if the password is bad.. but, no..
Microsoft did it the other way. The function returns the uncrypted password
to a buffer (... no comment).

Indeed, this is not _big_ deal but if a user has access to your computer
after you logged then he can easily retrieve your password.. And I am sure
that a lot of people uses the same password for their mail and their
windows password (so it is somewhat a security problem). I attached a small
program that prompts the password of the user (you must have logged in
first); this only work on Windows for Workgroup 3.11 and Windows 95
(Windows 98 and Windows NT are not affected -hopefully-).

But I wouldn't be surprised if Win98 has an undocumented function that
returns the password of the user (I wouldn't bet that about NT though.)

fix: well, I didn't find anything .. except that this code :

    mov ax, 1184h
    mov bx, 0dh
    xor  cx, cx
    int   2fh

seems to disable the password caching feature.

Content-Type: application/octet-stream; name="Cachepig.zip"
Content-Transfer-Encoding: base64
Content-Description: Cachepig.zip (ZIP File)
Content-Disposition: attachment; filename="Cachepig.zip"



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]