COMMAND

    Password caching

SYSTEMS AFFECTED

    Win 95, WfW

PROBLEM

    This  text  is  taken  from  the  "Hack Microsoft" Web Site and is
    writen By Frank Andrew Stevenson and Peter Gutmann

    By  default,  Windows  95  and  Windows for Workgroups implement a
    "password caching feature" whereby  the passwords for all  network
    services (NetWare, NT, Samba, SLIP/PPP service) are  automatically
    and permanently stored in C:\WINDOWS\<USERNAME>.PWL.  Microsoft
    claims they are encrypted securely.

    Peter determined  that the  Windows PWL  encryption algorithm  was
    incredibly  insecure.  Frank  wrote  a  program  to break the .PWL
    files in Windows. (More  details are forthcoming, a  draft version
    is available currently.) Source  code and a Windows  NT executable
    for  the  exploit  program  are  available. In effect, anyone with
    physical or network access to a Windows machine has access to  all
    network passwords used by all users of that machine.

    Late afternoon  December 14th,  Microsoft released  an alleged fix
    for the  problem, which  is supposed  to make  passwords harder to
    find, but  it has  not been  reviewed by  outside experts,  and it
    doesn't even come with  a ReadMe file. Unlike  Netscape, Microsoft
    has not published its encryption algorithm for the customary  peer
    review.  Until  they do, we  recommend disabling password  caching
    and user profiles.

    Peter  wrote  this  modest  trojan  horse demonstration, mail.zip.
    Invoke  it  as  mail  hackmsoft@c2.org  (or  whatever  address you
    consider appropriate) on any  Windows for Workgroups machine  with
    a TCP/IP  connection and  it will  send you  (or anyone  else) the
    first password cached on your machine, unencrypted.

    Note  that  this  hack  does  not  contain any decryption code; it
    merely uses the  WNetGetCachedPassword() call, which  is available
    to  any  program.  Proper  security  architectures,  such  as  the
    corresponding subsystem in Windows  NT, have an internal  security
    perimeter to prevent this kind  of thing. This quick hack  doesn't
    support MX  aliasing, so  you might  need to  point it directly at
    your SMTP server.   Because some network calls  do not seem to  be
    supported in Windows  95, this program  currently only works  with
    WFW (but this  is only a  minor implementation issue,  which could
    be fixed).

    "Disabling  password  caching"  does  not  completely address this
    vulnerability, because  passwords are  still stored  in memory  to
    facilitate the "automatic reconnect" feature, which is designed to
    maintain connections through  laptop "suspend" mode  and temporary
    network  problems.  Neither  is  the  alleged  fix  for Windows 95
    (above) relevant.

SOLUTION

    Don't allow your network administrators to log on to  workstations
    with the "administrator" account under any circumstances. When you
    log on to a standard  Windows workstation, you user passwords  are
    cached -- unless this feature has been disable.

    Thanks to Jim Carlson for contributing this WfW semi-fix:
    To turn off password caching for Windows for Workgroups, add the
    following to your \WINDOWS\SYSTEM.INI file:

        [NETWORK]
        passwordcaching=no

    Thanks to Malcolm Miles for contributing this Win95 semi-fix:
    To  turn  off  password  caching  for  Win95,  you  can use Policy
    Editor,  or  edit  the  following  Registry  entry  directly  with
    REGEDIT.EXE:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
        Set the value to a binary value of 1.