COMMAND
NT Displays Plain-Text Netware Passwords
SYSTEMS AFFECTED
Win & Netware
PROBLEM
Patrick Hayden posted about following vulnerability. Windows NT
4.0, with Microsoft's Client Services for Netware, or Novell's
IntraNetware Client for Windows NT, writes plain-text user-id and
password information to PAGEFILE.SYS. The user-id and password
apply to Netware, however, users commonly use the same logon
information for both NT and Netware. It is possible to then
recover the plain-text information by using a disk editor.
Tests have been performed (with more pending) on these systems:
Windows NT Workstation 4.0 w/SP1 and IntraNetware Client for NT
(970214) Pent. 133 Laptop 24MB RAM 50MB PAGEFILE.SYS
Windows NT Workstation 4.0 w/SP1 and Microsoft Client Services for
Netware
Dual Pent 166 64MB RAM 80MB PAGEFILE.SYS Novell Netware 4.11
Server
1. Set /MAXMEM=12 in BOOT.INI so as to force swapping.
2. Load NT; Authenticate to NT and Netware (I used the same ID
and Password for both systems.); Verify connection by mapping
a drive.
3. To ensure that sufficient swapping takes place, run a large
program (this forces the user-id and password information
stored in RAM to be placed into PAGEFILE.SYS.)
4. Exit NT; Boot to DOS; diskedit PAGEFILE.SYS
5. Search for one of the following strings (do NOT include the ""
items):
IntraNetware Client:
NWUserName="user-id"
WlMprNotifyPassword="password"
"UserName" (if the username is alone, the password
will follow very closely)
Client Services for Netware
nwcs"password" (the password is all CAPS and will
immediately follow nwcs)
In a "real-life" environment, most likely there will be enough
swapping on the system that setting the /MAXMEM switch will be
unnecessary. The switch is only to help confirm that this hole
exits.
SOLUTION
No solution given yet.