Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Exploit for MSIE on Win95

From: sbirn () NETMEDIA NET IL (Steve Birnbaum)
Date: Tue, 18 Mar 1997 04:25:53 +0200

See http://www.security.org.il/msnetbreak/ for more details.


What's new

   It is possible from anywhere on the Internet to obtain the cleartext
   Windows 95 login password from a Windows 95 computer on a network
   connected directly to the Internet given only the IP address and the
   workgroup and leave no trace of your actions. It is untested and may
   work with Windows For Workgroups as well.

Description

   There has been recent discussion on security mailing lists concerning
   the fact that Microsoft Internet Explorer running on Windows NT will
   automatically try to log in to a remote SMB server (file server)
   without prompting the user or without the user's knowledge. By design,
   the NT machine will transmit to this remote server the encrypted
   password and username of the user. This is documented by Aaron
   Spangler. The caveats with this are that the passwords are encrypted
   and that in many cases people do not use WWW browsers from NT servers,
   but rather from computers running Windows 95.

   It has been explained that this same exploit does not work against
   Windows 95 because Windows 95 is only capable of accessing SMB shares
   (file sharing) if they are:
     * Connected to the same subnet.
     * In the Windows 95 computer's LMHOSTS file on startup
     * Announced to the Windows 95 computer by a Master Browser

   It is this third and final condition that can be taken advantage of to
   obtain the cleartext password and username of any Windows 95 user who
   uses Microsoft Internet Explorer. Even careless use of Microsoft
   Network Neighborhood can exploit this hole without the requirement for
   Internet Explorer The requirements are knowledge of the user's IP
   address, workgroup name and that they access a hostile web page. The
   first two are not difficult to obtain and the third does not have to
   be an obscure page. In the last 6 months sites such as the CIA have
   been broken into. All it would require is that one un-noticeable line
   be added to the home page. Since the viewable content of the page has
   not been altered, such a change can go unnoticed for a long time.



--
Steve Birnbaum - System Administrator, NetMedia. Jerusalem, Israel.
sbirn () netmedia net il  Phone: +972-2-6795860   --Standard Disclaimer--
sbirn () security org il  http://www.vix.com/spam/   (PGP key available)
Previous By Date Next
Previous By Thread Next

Current thread: