Vulnerability Development mailing list archives
NT stores passwords in plaintext. (sp00ky)
From: -No Strezzz Cazzz <Butterphly6 () CAZZZ DEMON NL>
Date: Mon, 19 Mar 2001 18:57:09 +0100
[note that this is an updated version of my post send to Bugtraq some time ago] Made in Holland PCP/A #0004 (pr0ph) Local Bug/Vulnerability in IE/OE Exploitable: Well, read and decide for yourself. Proved vulnerable: Sofar, NT4 Workstation with SP4. Posted To: NTBugtraq/Bugtraq mailinglists & Packetstorm. A copy of this text was send to Microsoft at the same time I posted this to the mailinglists. What can I say, xcept for: Its nothing personal, Bill. Afterall they should have been aware of this for at least 2 years. First of all shoutzzz go out to Neil Kirr ( nkirr () uu net ) for finding this bug 2 years ago! Check out his post to the NTBugTraq mailinglist: Message-ID: ntbugtraq549987.79296875 Shoutzzz also go out to Reverend Lola (for wetting my appetite on NT security), and to Deeph Inc. (for being a great partner in packets) Good luck with Perl, my phriend. You may find some parts of this text very obvious (d0h), but the smallest mistakes often trigger the worst disasters. Reason that I make this posting is because I have more/additional information. Neil only mentioned one password, I found two. He used Outlook98, I use Lookout, eh Outlook (l4m3) Express 4.72 on NT4. Also in a reply from the MS Outlook Program Manager to the NTBugtraq mailinglist it is said that "User.dmp is the file written out when NT blue-screens". This is not true, at least not in this case, it is obviously created because of an error somewhere but my NT4 has NEVER Blue-screened on me yet. (that is if I don't want it to Blue-screen on me, DoS By Demand) I will show you how/why the USER.DMP file gets written, d00dz try this at home! Maybe its a good plan to first read Neil's original post and Russ' reply before you continue reading this. I am using bogus passwords in this text, for privacy reasons. =oP I didn't know about this vulnerability until I discovered it myself, I found out about it while using the [find "POP3PASS" *] command while on the \WINNT\system32 directory. (it kinda sucked to find out later that Neil already discovered it 2 years ago, I searched AltaVista for "USER.DMP NT4" to find out what USER.DMP was about and one of the first hits included his posting to the NTBugtraq, but 0h well) I was playing with the "Find" command to see what kind of info it could dig up. I really didn't expect it to come up with: ---------- USER.DMP POP3PASS I thought this was really weird, first of all because my NT4 stored my POP3-password in plain ASCII. And second because I never noticed the USER.DMP file in the \WINNT\system32 (or anywhere else) before. So I opened the file (I think the size was about 4MB) and retrieved my POP3-password by Search/Find/POP3PASS (d0h). It showed up in the following lines: y-ñ\ ß POP3PASS Á\ ": м ÀOÔ?u-~A½Ð» ÀOÔ? D e M o N 7 1 1 6 C D C This is important to know, because it was close to "D e M o N" (I named my provider DeMoN but in USER.DMP it was printed with a space between each letter) so we could use that as an indicator in case we don't know the password. By the way, if you open USER.DMP it might take a little while before you actually see its content when you open it. Task Manager will tell you that its "not responding" but it is, just be a little patient. I noticed that not only the complete contents of my OE (E-mail, usenet and settings) where stored throughout the file, it also contained the contents of my IE "Favourites" folder, my complete "History" folder and a sh!tload of other data, most of it useless. But it has a ph0nky effect when you scroll it down quickly, so that makes up for being useless. I ofcourse checked if perhaps the file also stored any other passwords, but it didn't. (thats what I thought anyway) I tried to figure out how that USER.DMP file got there, I formatted my comp and installed NT4 again to make absolutely sure this wasn't some extremely weird coincidence. The first thing I did on my "fresh" NT was to try to find the USER.DMP file. It wasn't in the \WINNT\system32 directory, in fact it wasn't anywhere on my system. Because I had no idea of how to create the USER.DMP file I strezzzed out and kinda forgot about it. Until this morning when I noticed a USER.DMP file in my \WINNT directory. (I don't know why it appeared in the \WINNT directory instead of the \WINNT\system32 directory as it did the first time). I opened it and found my POP3-password stored in plain text, just like the first time. One difference was that the file now was 11.9 MB. This is probably because I had a huge lot of usenet postings that I didn't delete yet. This time I did know what actions created the file. I like to play around a lot on my NT, something I often do is to open all sorts of different files with Notepad and then "read" through it to see if I can find something interesting. I do this all the time, so this is most likely what created the file the first time too. Anyway I started reading through the file, its full of weird/interesting stuff, but the most interesting thing I discovered was my Administrator dial-up password for DeMoN. The reason why I couldn't retrieve it with "Find" Was because it was stored with a space between each letter, something like: "P a z z z w 0 r d". It showed up in the following lines: R kM * C:\WINNT\System32\RAS\rasphone.pbk \ D E V I C E \ N D I S W A N 3 DeMoN c a z z z m @ @ ÿÿÿÿÿÿÿ ¨çw çw P a z z z w 0 r d Note that its again close to my provider's name (DeMoN) and close to my account name (cazzz). Only this time "c a z z z" is with spaces and "DeMoN" is without them. Both my POP3 and dial-up password where located within the first upper 10% of the file (still a HUGE load of data though). So now we know that if we don't know any of those passwords we can probably find them close to the account where our POP3 is located, and close to our account name. Be sure you read the file from up to down, not from left to right, use "Word Wrap" if needed. I can canfirm that in all four USER.DMP's I have had sofar the passwords are close to the account or the account name. You can cause a USER.BMP file to get created by doing the following: Fill the "Newsgroups:" field in OutlookExpress with over 700 chars and press "send". This will cause a buffer to overflow, it closes down OE and it creates a USER.DMP file in your WINNT directory. You can also close down the main OE window while you're viewing the source of a message (Ctrl-F3 only). This will aslso close down OE and it creates a USER.DMP file in your WINNT directory. Note that USER.DMP will be much smaller with this one than if you try to create it with the "Newsgroups:" overflow. It might also be a good idea to clean out your Outlook Express/Favourites/History/Cookie folders before testing this. You will find all of their content back in USER.DMP, so it gets huge in a hurry. Let me add this tiny, little & cute warning: Altough I'm starting to like NT4 more and more (face it, GUI is what makes the world go round) I still get a big kick out of it when I'm able to blow it up (especially with homemade) vulnerabilities. I can do this because its my NT and my computer. So before you start to test this on your corperate LAN.....Be sure to backup, H4H4H4, better saphe than s0rry. Oh, and because of Windows' nasty habbit to assume that if you open a file with Notepad all files of that type turn into Notepad documents you may soon find your whole system32-folder filled with Notepad-format files. Solution: The solution to this problem is as simple as it is effective. Just as Neil mentioned two years ago: Don't let IE/OE save your password when you make a dial-up connection. And ofcourse you need a brain that works, would you believe that there are still people out there that use the same password more than once? Tsk tsk. Doing that will lead you and your system straight into oblivion when mixed with this Bug. You can unsave your password by choosing: Security/Unsave Password on your dial-up network monitor. You would help us out a lot if you would test this and mail the results to the Bugtraq lists and/or to us: Industrial_Strength () cazzz demon nl (The Exploiters) We will store the info in our private PCP/TNT archives, thanks. Another fine Planet Cazzz Production/Advisory, in assosiation with The Nations Top. We cannot be held responsible for your actions, but you can try. Made in Holland. PCP/A #0004 (pr0ph) We want to say hell0 to all the Crackers, the Hackers and the Phreax. We want to say hell0 to all the people in this place. We want to say hell0 to all the Sinners and 31337. We say hell0 to all the people in the world... -No Strezzz Cazzz, Powered By UN0X PCP, Phencyclidine: Causes a range of bizarre and violent effects.
Current thread:
- NT stores passwords in plaintext. (sp00ky) -No Strezzz Cazzz (Mar 20)
- Re: NT stores passwords in plaintext. (sp00ky) Craig Boston (Mar 22)
- Re: NT stores passwords in plaintext. (sp00ky) Dan Kaminsky (Mar 22)