Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

windows.passwd.cache.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Windows net.exe can retrieve unencrypted passwords, posing a security risk for users.

Show more
Code
`Date: Wed, 21 Oct 1998 23:07:44 +0100  
From: bt398 <bt398#@SOTON.AC.UK>  
To: [email protected]  
Subject: 13 tiny bytes to show the huge sillyness of our great common friend..  
  
  
Lately, I've been playing a bit with net.exe program  
(\windows\net.exe). With this program, a user can set up the network  
drivers (Windows For Workgroup protocol); moreover, a user can log in (open  
a wfw session) and also change his password. As this program runs on DOS,  
I've been wondering how next.exe was retrieving the password of the user;  
as no DLL calls to undocumented functions are possible, only a call to a  
special interrupt/function should be used.  
  
Then, tracing through the code, I've found a rather interesting feature.  
When a user changes its password, net.exe accesses to the old password  
using the multiplex interrupt 2fh (or so-called software interrupt) with  
function 11h (sub function 84h). I suppose that function 11XX, int 2fh is  
installed by the windows kernel so that it can exchange data (WFW infos)  
with a DOS program. Well, so you would say that this function requires as  
input the password and returns an error if the password is bad.. but, no..  
Microsoft did it the other way. The function returns the uncrypted password  
to a buffer (... no comment).  
  
Indeed, this is not _big_ deal but if a user has access to your computer  
after you logged then he can easily retrieve your password.. And I am sure  
that a lot of people uses the same password for their mail and their  
windows password (so it is somewhat a security problem). I attached a small  
program that prompts the password of the user (you must have logged in  
first); this only work on Windows for Workgroup 3.11 and Windows 95  
(Windows 98 and Windows NT are not affected -hopefully-).  
  
But I wouldn't be surprised if Win98 has an undocumented function that  
returns the password of the user (I wouldn't bet that about NT though.)  
  
fix : well, I didn't find anything .. except that this code :  
  
mov ax, 1184h  
mov bx, 0dh  
xor cx, cx  
int 2fh  
  
seems to disable the password caching feature  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
windows for workgrouppassword retrievalsecurity riskunencrypted passwordnet.exe programdos program.
23
.json
Report