Date: 03 June 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.25 AUSCERT Advisory
Windows95 Network Password Vulnerability
3 June 1997
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the way
that network passwords are stored in memory by Microsoft Windows95 systems.
This vulnerability may allow the unauthorised access to the plain text
password for the currently logged in user. This can lead to unauthorised
access to the user's network account.
Microsoft has released a security bulletin, containing patch information,
addressing the vulnerability. These patches encrypt the passwords stored
in memory. The security bulletin and patches are described in this
advisory.
- ---------------------------------------------------------------------------
1. Description
A vulnerability exists in the way that network passwords are stored
in memory by Microsoft Windows95 systems. This vulnerability may
allow unauthorised access to the plain text password for the currently
logged in user. Although the password is encrypted before sending it
over a network, it is stored unencrypted in the system's memory.
Access to the password for the currently logged in user is possible
through careful examination of memory structures. It is possible to
develop a program to simplify this attack.
To obtain the password currently stored in memory, a program must be
executed on the system. This can be done by either gaining physical
access to the computer or misleading the user into executing the
program. These actions must be performed while the network user is
still logged in.
The user can be misled into running a malicious program by downloading
untrusted information from the Internet, or by some other means such
as embedding the malicious program in a Macro contained in a file that
gets executed when the file is opened by the user. This file may be
sent to the user as an attachment to an electronic mail message.
2. Impact
Unauthorised access may be gained to the network password of the user
logged in to a Windows95 system.
This can lead to unauthorised access to the user's network account
using the compromised password.
3. Workarounds/Solution
Official vendor patches have been released by Microsoft which address
this vulnerability (Section 3.1). AUSCERT recommends that sites apply
the patches given in this bulletin immediately.
3.1 Install vendor patches
Microsoft has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
This bulletin can be located on their security page on Microsoft's
Web site at http://www.microsoft.com/security/ and is titled "Microsoft
Windows 95 Update to Enhance Password Security".
Additionally, a Microsoft Knowledge Base article has been developed
by Microsoft detailing more information about this problem and
associated fixes. It can be located by going to Microsoft Australia's
home page (http://www.microsoft.com.au) and following the links to
"Support", and then to "Knowledge Base". The specific Knowledge Base
article to search for is Q165402. This article can also be referenced
as http://www.microsoft.com/kb/articles/q165/4/02.htm
Both the bulletin and the Knowledge Base article contain pointers to
patches that can be downloaded.
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
4. Additional Measures
To gain access to the user's password, the user must first be logged
in to the network from a Windows95 system using their account and
password. The password is obtained by either someone running a program
on the system, or a program must be executed by the user or on the
user's behalf. Executing a program can be done by either gaining
physical access to the system or misleading the user into running an
untrusted program. The user can be misled into running a malicious
program by downloading untrusted information from the Internet, or by
some other means such as embedding the malicious program in a Macro
contained in a file that gets executed when the file is opened by the
user. This file may be sent to the user as an attachment to an
electronic mail message.
Educating users can address each of these scenarios. The ability to
exploit this vulnerability can be reduced if unauthorised access to
the system, while the user is still logged in, can be minimised or
eliminated. One way this can be achieved is if each user logs off
from the network any time they leave the computer for reasonable
periods of time, or runs a password protected screen saver.
Users should also be educated not to run untrusted programs that have
been given to them on disk or via Email, or downloaded from a network.
Email attachments should be scanned for any unauthorised macros.
- ---------------------------------------------------------------------------
AUSCERT thanks the Australian Bureau of Statistics and Microsoft for their
assistance and response in the preparation of this Advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM5PWMyh9+71yA2DNAQHCuAP7BWLww8EpTjAdKlZjuRsnykeiGwZwaof3
GRnvsc5i2BnQ/uYBTqOAds5MaajN4GHQXMUY0hIPvPjHsGc26GD9CwHsLrEONXBD
zjwG5acwFW6S4REWZcqMkvISIZzOlvbhYdV3pmPpDDSf7Hv1FpsH0zQu2aaDmo5W
KYmabfKHXGw=
=iiO8
-----END PGP SIGNATURE-----
|