Bugtraq mailing list archives
Exploit for MSIE on Win95
From: sbirn () NETMEDIA NET IL (Steve Birnbaum)
Date: Tue, 18 Mar 1997 04:25:53 +0200
See http://www.security.org.il/msnetbreak/ for more details. What's new It is possible from anywhere on the Internet to obtain the cleartext Windows 95 login password from a Windows 95 computer on a network connected directly to the Internet given only the IP address and the workgroup and leave no trace of your actions. It is untested and may work with Windows For Workgroups as well. Description There has been recent discussion on security mailing lists concerning the fact that Microsoft Internet Explorer running on Windows NT will automatically try to log in to a remote SMB server (file server) without prompting the user or without the user's knowledge. By design, the NT machine will transmit to this remote server the encrypted password and username of the user. This is documented by Aaron Spangler. The caveats with this are that the passwords are encrypted and that in many cases people do not use WWW browsers from NT servers, but rather from computers running Windows 95. It has been explained that this same exploit does not work against Windows 95 because Windows 95 is only capable of accessing SMB shares (file sharing) if they are: * Connected to the same subnet. * In the Windows 95 computer's LMHOSTS file on startup * Announced to the Windows 95 computer by a Master Browser It is this third and final condition that can be taken advantage of to obtain the cleartext password and username of any Windows 95 user who uses Microsoft Internet Explorer. Even careless use of Microsoft Network Neighborhood can exploit this hole without the requirement for Internet Explorer The requirements are knowledge of the user's IP address, workgroup name and that they access a hostile web page. The first two are not difficult to obtain and the third does not have to be an obscure page. In the last 6 months sites such as the CIA have been broken into. All it would require is that one un-noticeable line be added to the home page. Since the viewable content of the page has not been altered, such a change can go unnoticed for a long time. -- Steve Birnbaum - System Administrator, NetMedia. Jerusalem, Israel. sbirn () netmedia net il Phone: +972-2-6795860 --Standard Disclaimer-- sbirn () security org il http://www.vix.com/spam/ (PGP key available)
Current thread:
- Exploit for MSIE on Win95 Steve Birnbaum (Mar 17)