COMMAND

    Quakenbush Windows NT Password Appraiser

SYSTEMS AFFECTED

    Windows systems running Quakenbush Windows NT Password Appraiser (demo?)

PROBLEM

    Following is based on L0pht Security Advisory.  Password Appraiser
    is a tool that allows  administrators to "Find accounts with  weak
    passwords" on NT  systems.  In  actuality what it  does is compare
    only the weaker  LANMAN hash against  a set of  precomputed LANMAN
    hashes for a table lookup to  see if the password is "weak".   The
    Demo version  *only* allows  one to  run the  program via  quering
    across the  Internet.   Other versions  allow querying  across the
    internet and/or a local dictionary containing a smaller subset  of
    words/hashes.

    If you hook up some network  sniffers and ran the demo version  on
    one machines  you'll watch  the LANMAN  hashes being  sent IN  THE
    CLEAR to pw.quakenbush.com. For the passwords that the server  had
    in  its  dictionary  a  plaintext  response  was sent back.  It is
    important to mention that user names are not sent across the wire.
    However, without  the usernames  the above  threat is  still quite
    real.  The  problem lies the  known quantities: the  location/site
    that  sent  the  passwords,  and  the  actual  passwords.  It is a
    trivial step to gather the usernames from this point forward.

    Sniffing  traffic  to  port  80  of  pw.quakenbush.com  shows  the
    following information being exchanged:

        local client machine == [A]
        remote dictionary server [pw.quakenbush.com] == [B]

    [Example  1  -  demonstrating  vulnerability on Password Appraiser
    sending LANMAN hash and plaintext equivalent from "weak" password]

        [A] -> [B]
         GET /default.asp?cid=[*]&v=3086&pw=D85774CF671A9947AAD3B435B51404EE
        HTTP/1.1
         Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
         User-Agent: Microsoft URL Control - 6.00.8169
         Host: pw.quakenbush.com

    Note that the cid is the verification mechanism so the server  can
    austensibly check that the client is indeed paid for.  The  number
    that was removed was the evaluation number that was  automatically
    sent upon downloading the  software. Its value is  unimportant for
    this advisory.

        [B] -> [A]
         HTTP/1.1 200 OK
         Server: Microsoft-IIS/4.0
         Date: Wed, 20 Jan 1999 23:51:14 GMT
         Content-Type: text/html
         Cache-control: private
         Transfer-Encoding: chunked

         12
         ::PW::FOOBAR::PW::
         0

    From this, one can see  that password appraiser only works  on the
    deprecated LANMAN hash which is, in this case:

        D85774CF671A9947AAD3B435B51404EE

    The  response  shows  that  the  password being checked was FOOBAR
    (case sensitivity is unknown as  the program does not look  at the
    NTLM  hash).   The  above  can  be  witnessed  during any stage in
    transit  to  the  quakenbush  server.   The  attacker  now has the
    password.

    [Example  2  -  demonstrating  vulnerability on Password Appraiser
    sending LANMAN hash of a "strong" password]

        [A] -> [B]
         GET /default.asp?cid=[*]&v=3086&pw=8F4272A6Fc6FDFDFAAD3B435B51404EE
        HTTP/1.1
         Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
         User-Agent: Microsoft URL Control - 6.00.8169
         Host: pw.quakenbush.com

        [B] -> [A]
         HTTP/1.1 200 OK
         Server: Microsoft-IIS/4.0
         Date: Thu, 21 Jan 1999 00:09:03 GMT
         Content-Type: text/html
         Cache-control: private
         Transfer-Encoding: chunked

         19
         ::PW::<not cracked>::PW::
         0

    Here, the  LANMAN hash  is: 8F4272A6FC6FDFDFAAD3B435B51404EE.   We
    see from  the response  from Password  Appraiser that  it believes
    this password to  be secure.   Unfortunately, people sniffing  the
    network who plug this hash into other tools take advantage of  the
    weak design behind LANMAN  and retrieve the password  of 'BOGUS!!'
    in under 1 minute.

SOLUTION

    However,  Quakenbush  do  warn  of  this  fact  on  their "Privacy
    Statement".  They  even state that  the passwords will  be visible
    through a sniffer.   The information in  the advisory pertains  to
    the  Standard  Edition  and  Professional  Edition  and not to the
    Enterprise Edition.   Further, the issues  discussed in the  L0pht
    advisory pertain  only to  the use  of the  Internet Query option.
    The Internet Query optio is  not necessary on the CD-ROM  versions
    of the product  (including the free  demo CD-ROM).   Several steps
    were taken on the server side code to eliminate the possibility of
    plaintext ever being transferred via the Internet.  There has been
    issued an update to  the Password Appraiser program  (Standard and
    Professional Editions)  that uses  SSL exclusively.   The revision
    also includes new warning  messages that are activated  whenever a
    user  turns  on  the  Internet  Query  option  and  there has been
    configured  password  resolution  server  to  use  a  SSL   Server
    Certificate.   So,  get  yourself  QR  the  version  (3.0.89) that
    supports SSL.