Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

windows.passwd.cache.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Windows net.exe can retrieve unencrypted passwords, posing a security risk for users.

Code
`Date: Wed, 21 Oct 1998 23:07:44 +0100  
From: bt398 <bt398#@SOTON.AC.UK>  
To: [email protected]  
Subject: 13 tiny bytes to show the huge sillyness of our great common friend..  
  
  
Lately, I've been playing a bit with net.exe program  
(\windows\net.exe). With this program, a user can set up the network  
drivers (Windows For Workgroup protocol); moreover, a user can log in (open  
a wfw session) and also change his password. As this program runs on DOS,  
I've been wondering how next.exe was retrieving the password of the user;  
as no DLL calls to undocumented functions are possible, only a call to a  
special interrupt/function should be used.  
  
Then, tracing through the code, I've found a rather interesting feature.  
When a user changes its password, net.exe accesses to the old password  
using the multiplex interrupt 2fh (or so-called software interrupt) with  
function 11h (sub function 84h). I suppose that function 11XX, int 2fh is  
installed by the windows kernel so that it can exchange data (WFW infos)  
with a DOS program. Well, so you would say that this function requires as  
input the password and returns an error if the password is bad.. but, no..  
Microsoft did it the other way. The function returns the uncrypted password  
to a buffer (... no comment).  
  
Indeed, this is not _big_ deal but if a user has access to your computer  
after you logged then he can easily retrieve your password.. And I am sure  
that a lot of people uses the same password for their mail and their  
windows password (so it is somewhat a security problem). I attached a small  
program that prompts the password of the user (you must have logged in  
first); this only work on Windows for Workgroup 3.11 and Windows 95  
(Windows 98 and Windows NT are not affected -hopefully-).  
  
But I wouldn't be surprised if Win98 has an undocumented function that  
returns the password of the user (I wouldn't bet that about NT though.)  
  
fix : well, I didn't find anything .. except that this code :  
  
mov ax, 1184h  
mov bx, 0dh  
xor cx, cx  
int 2fh  
  
seems to disable the password caching feature  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
windows for workgrouppassword retrievalsecurity riskunencrypted passwordnet.exe programdos program.
25