NT stores passwords in plaintext. (sp00ky)

[-No Strezzz Cazzz <Butterphly6 () CAZZZ DEMON NL>]

[note that this is an updated version of my post send to Bugtraq some time ago]

Made in Holland
PCP/A #0004 (pr0ph)



Local Bug/Vulnerability in IE/OE


Exploitable: Well, read and decide for yourself.
Proved vulnerable: Sofar, NT4 Workstation with SP4.
Posted To: NTBugtraq/Bugtraq mailinglists & Packetstorm.


A copy of this text was send to Microsoft at the same time I posted this to
the mailinglists. What can I say, xcept for: Its nothing personal, Bill.
Afterall they should have been aware of this for at least 2 years.



First of all shoutzzz go out to Neil Kirr ( nkirr () uu net ) for finding this
bug 2 years ago! Check out his post to the NTBugTraq mailinglist:
Message-ID: ntbugtraq549987.79296875

Shoutzzz also go out to Reverend Lola (for wetting my appetite on NT
security), and to Deeph Inc. (for being a great partner in packets) Good luck with Perl, my phriend.

You may find some parts of this text very obvious (d0h), but the smallest mistakes often trigger the worst disasters.


Reason that I make this posting is because I have more/additional
information. Neil only mentioned one password, I found two. He used
Outlook98, I use Lookout, eh Outlook (l4m3) Express 4.72 on NT4. Also in a reply from the MS Outlook Program Manager to 
the NTBugtraq mailinglist it is said that "User.dmp is the file written out when NT blue-screens". This is not true, at 
least not in this case, it is obviously created because of an
error somewhere but my NT4 has NEVER Blue-screened on me yet. (that is if I don't want it to Blue-screen on me, DoS By 
Demand) I will show you how/why the USER.DMP file gets written, d00dz try this at home! Maybe its a good plan to first 
read Neil's original post and Russ' reply before you continue

reading this.


I am using bogus passwords in this text, for privacy reasons.  =oP

I didn't know about this vulnerability until I discovered it myself, I
found out about it while using the [find "POP3PASS" *] command while on the \WINNT\system32 directory. (it kinda sucked 
to find out later that Neil already discovered it 2 years ago, I searched AltaVista for "USER.DMP NT4" to find out what 
USER.DMP was about and one of the first hits included his posting to the NTBugtraq, but 0h well) I was playing with the 
"Find" command to see what kind of info it could dig up. I really didn't expect it to come up with:

---------- USER.DMP
POP3PASS

I thought this was really weird, first of all because my NT4 stored my
POP3-password in plain ASCII. And second because I never noticed the USER.DMP file in the \WINNT\system32 (or anywhere 
else) before. So I opened the file (I think the size was about 4MB) and retrieved my POP3-password by 
Search/Find/POP3PASS (d0h). It showed up in the following lines:


              
   y-ñ\    ß    POP3PASS Á\
":…Є¼ ÀOÔ?u-~A½„Є» ÀOÔ?          D e M o N 7 1 1 6 C D C


This is important to know, because it was close to "D e M o N" (I named my provider DeMoN but in USER.DMP it was 
printed with a space between each letter) so we could use that as an indicator in case we don't know the password. By 
the way, if you open USER.DMP it might take a little while before you actually see its content when you open it. Task 
Manager will
tell you that its "not responding" but it is, just be a little patient.

I noticed that not only the complete contents of my OE (E-mail, usenet and settings) where stored throughout the file, 
it also contained the contents of my IE "Favourites" folder, my complete "History" folder and a sh!tload of other data, 
most of it useless. But it has a ph0nky effect when you scroll it down quickly, so that makes up for being useless. I 
ofcourse checked if perhaps the file also stored any other passwords, but it didn't. (thats what I thought anyway)

I tried to figure out how that USER.DMP file got there, I formatted my comp and installed NT4 again to make absolutely 
sure this wasn't some extremely weird coincidence. The first thing I did on my "fresh" NT was to try to find the 
USER.DMP file. It wasn't in the \WINNT\system32 directory, in fact it wasn't anywhere on my system. Because I had no 
idea of how to create the USER.DMP file I strezzzed out and kinda forgot about it. Until this morning when I noticed a 
USER.DMP file in my \WINNT directory. (I don't know why it
appeared in the \WINNT directory instead of the \WINNT\system32 directory as it did the first time). I opened it and 
found my POP3-password stored in plain text, just like the first time.

One difference was that the file now was 11.9 MB. This is probably because I had a huge lot of usenet postings that I 
didn't delete yet. This time I did know what actions created the file. I like to play around a lot on my NT, something 
I often do is to open all sorts of different files with Notepad and then "read" through it to see if I can find 
something interesting. I do this all the time, so this is most likely what created the file the first time too. Anyway 
I started reading through the file, its full of weird/interesting stuff, but the most interesting thing I discovered 
was my Administrator dial-up password for DeMoN. The reason why I couldn't retrieve it with "Find" Was because it was 
stored with a space between each letter, something like: "P a z z z w 0 r d". It showed up in the following lines:


   R
  kM  *   C:\WINNT\System32\RAS\rasphone.pbk
\ D E V I C E \ N D I S W A N 3
DeMoN
c a z z z
 
   m
                               @  @           
   

ÿÿÿÿÿÿÿ           –¨çw          çwœ‘
       P a z z z w 0 r d


Note that its again close to my provider's name (DeMoN) and close to my account name (cazzz). Only this time "c a z z 
z" is with spaces and "DeMoN" is without them. Both my POP3 and dial-up password where located within the first upper 
10% of the file (still a HUGE load of data though). So now we know that if we don't know any of those passwords we can 
probably find them close to the account where our POP3 is located, and close to our account name. Be sure you read the 
file from up to down, not from left to right,
use "Word Wrap" if needed. I can canfirm that in all four USER.DMP's I have had sofar the passwords are close to the 
account or the account name.

You can cause a USER.BMP file to get created by doing the following:

Fill the "Newsgroups:" field in OutlookExpress with over 700 chars and press "send". This will cause a buffer to 
overflow, it closes down OE and it creates a USER.DMP file in your WINNT directory.

You can also close down the main OE window while you're viewing the source of a message (Ctrl-F3 only). This will aslso 
close down OE and it creates a USER.DMP file in your WINNT directory. Note that USER.DMP will be much smaller with this 
one than if you try to create it with the "Newsgroups:" overflow.

It might also be a good idea to clean out your Outlook
Express/Favourites/History/Cookie folders before testing this. You will
find all of their content back in USER.DMP, so it gets huge in a hurry.

Let me add this tiny, little & cute warning: Altough I'm starting to like
NT4 more and more (face it, GUI is what makes the world go round) I still get a big kick out of it when I'm able to 
blow it up (especially with
homemade) vulnerabilities. I can do this because its my NT and my computer. So before you start to test this on your 
corperate LAN.....Be sure to backup, H4H4H4, better saphe than s0rry. Oh, and because of Windows' nasty habbit to 
assume that if you open a file with Notepad all files of that type turn into Notepad documents you may soon find your 
whole system32-folder filled with Notepad-format files.

Solution: The solution to this problem is as simple as it is effective.
Just as Neil mentioned two years ago: Don't let IE/OE save your password when you make a dial-up connection. And 
ofcourse you need a brain that works, would you believe that there are still people out there that use the same 
password more than once? Tsk tsk. Doing that will lead you and your system straight into oblivion when mixed with this 
Bug. You can unsave your password by choosing: Security/Unsave Password on your dial-up network monitor.

You would help us out a lot if you would test this and mail the results to
the Bugtraq lists and/or to us:

Industrial_Strength () cazzz demon nl  (The Exploiters)

We will store the info in our private PCP/TNT archives, thanks.


Another fine Planet Cazzz Production/Advisory, in assosiation with The Nations Top. We cannot be held responsible for 
your actions, but you can try. Made in Holland. PCP/A #0004 (pr0ph)


We want to say hell0 to all the Crackers, the Hackers and the Phreax. We want to say hell0 to all the people in this 
place. We want to say hell0 to all the Sinners and 31337. We say hell0 to all the people in the world...




-No Strezzz Cazzz, Powered By UN0X

PCP, Phencyclidine: Causes a range of bizarre and violent effects.