Re: NT stores passwords in plaintext. (sp00ky)

[Craig Boston <craig () aevrf gank org>]

This is pretty much accurate info, just thought I'd clarify a few things...

USER.DMP is created by the infamous Dr. Watson program.  It's a dump of the
process space of whatever the last program that crashed was.  Basically the
same concept as core files on *nix.  If you have windbg installed you can
load a user.dmp file and go to the assembly view to figure out where if
crashed (somewhat more useful if you actually wrote the program and have the
source files/symbol tables handy :)

Unfortunately NT4 doesn't control access to this file very well.  Then again
NT4 doesn't control access to a lot of sensitive files by default
(Everyone/Full Control on C:\ for example).  Windows 2000, while a bit more
sane with security in genereal, flunks the test here.  The default location
of user.dmp on Win2k is C:\Documents and Settings\All
Users\Documents\DrWatson\user.dmp.  This means that if you are not an
administrator of the machine, user.dmp never gets created (only admins have
write access to All Users).  However, if you are, it gets put there with
Everyone/Full Control...  sigh...

BTW, the reason that the account name and/or password have "spaces" between
the letters is because they are likely stored in memory as Unicode strings.
So those aren't actually spaces, they're ASCII null characters; and there's
no way to search for that in notepad.  Sysinternals (www.sysinternals.com)
has a "strings" utility that can dump both ASCII and Unicode strings out of
binary files.

Workaround: Start/Run "drwtsn32.exe".  You should be greeted with a dialog
with crash dump options.  Turn off the "create crash dump" checkbox.  If you
still want the dump files for debugging purposes, change the location to a
secure directory that only you have access too.  You can even have the
system play a special sound whenever programs crash :)

Side note: If you have MSVC++ installed (tested with 5.0 and 6.0), user.dmp
never gets created.  Installing it changes the system debugger from Dr.
Watson to the MSVC debugger, so when a program crashes you get an option to
either terminate the process or start the debugger.

Craig Boston, CCNA
Network Admin.
Owen Oil Tools

----- Original Message -----
From: -No Strezzz Cazzz
To: VULN-DEV () SECURITYFOCUS COM
Sent: Monday, March 19, 2001 11:57 AM
Subject: NT stores passwords in plaintext. (sp00ky)



[note that this is an updated version of my post send to Bugtraq some time
ago]

Made in Holland
PCP/A #0004 (pr0ph)



Local Bug/Vulnerability in IE/OE


Exploitable: Well, read and decide for yourself.
Proved vulnerable: Sofar, NT4 Workstation with SP4.
Posted To: NTBugtraq/Bugtraq mailinglists & Packetstorm.


A copy of this text was send to Microsoft at the same time I posted this to
the mailinglists. What can I say, xcept for: Its nothing personal, Bill.
Afterall they should have been aware of this for at least 2 years.



First of all shoutzzz go out to Neil Kirr ( nkirr () uu net ) for finding this
bug 2 years ago! Check out his post to the NTBugTraq mailinglist:
Message-ID: ntbugtraq549987.79296875

Shoutzzz also go out to Reverend Lola (for wetting my appetite on NT
security), and to Deeph Inc. (for being a great partner in packets) Good
luck with Perl, my phriend.

You may find some parts of this text very obvious (d0h), but the smallest
mistakes often trigger the worst disasters.


Reason that I make this posting is because I have more/additional
information. Neil only mentioned one password, I found two. He used
Outlook98, I use Lookout, eh Outlook (l4m3) Express 4.72 on NT4. Also in a
reply from the MS Outlook Program Manager to the NTBugtraq mailinglist it is
said that "User.dmp is the file written out when NT blue-screens". This is
not true, at least not in this case, it is obviously created because of an
error somewhere but my NT4 has NEVER Blue-screened on me yet. (that is if I
don't want it to Blue-screen on me, DoS By Demand) I will show you how/why
the USER.DMP file gets written, d00dz try this at home! Maybe its a good
plan to first read Neil's original post and Russ' reply before you continue

reading this.


I am using bogus passwords in this text, for privacy reasons.  =oP

I didn't know about this vulnerability until I discovered it myself, I
found out about it while using the [find "POP3PASS" *] command while on the
\WINNT\system32 directory. (it kinda sucked to find out later that Neil
already discovered it 2 years ago, I searched AltaVista for "USER.DMP NT4"
to find out what USER.DMP was about and one of the first hits included his
posting to the NTBugtraq, but 0h well) I was playing with the "Find" command
to see what kind of info it could dig up. I really didn't expect it to come
up with:

---------- USER.DMP
POP3PASS

I thought this was really weird, first of all because my NT4 stored my
POP3-password in plain ASCII. And second because I never noticed the
USER.DMP file in the \WINNT\system32 (or anywhere else) before. So I opened
the file (I think the size was about 4MB) and retrieved my POP3-password by
Search/Find/POP3PASS (d0h). It showed up in the following lines:


              
   y-ñ\    ß    POP3PASS Á\
":.Ð"¼ ÀOÔ?u-~A½"Ð"» ÀOÔ?          D e M o N 7 1 1 6 C D C


This is important to know, because it was close to "D e M o N" (I named my
provider DeMoN but in USER.DMP it was printed with a space between each
letter) so we could use that as an indicator in case we don't know the
password. By the way, if you open USER.DMP it might take a little while
before you actually see its content when you open it. Task Manager will
tell you that its "not responding" but it is, just be a little patient.

I noticed that not only the complete contents of my OE (E-mail, usenet and
settings) where stored throughout the file, it also contained the contents
of my IE "Favourites" folder, my complete "History" folder and a sh!tload of
other data, most of it useless. But it has a ph0nky effect when you scroll
it down quickly, so that makes up for being useless. I ofcourse checked if
perhaps the file also stored any other passwords, but it didn't. (thats what
I thought anyway)

I tried to figure out how that USER.DMP file got there, I formatted my comp
and installed NT4 again to make absolutely sure this wasn't some extremely
weird coincidence. The first thing I did on my "fresh" NT was to try to find
the USER.DMP file. It wasn't in the \WINNT\system32 directory, in fact it
wasn't anywhere on my system. Because I had no idea of how to create the
USER.DMP file I strezzzed out and kinda forgot about it. Until this morning
when I noticed a USER.DMP file in my \WINNT directory. (I don't know why it
appeared in the \WINNT directory instead of the \WINNT\system32 directory as
it did the first time). I opened it and found my POP3-password stored in
plain text, just like the first time.

One difference was that the file now was 11.9 MB. This is probably because I
had a huge lot of usenet postings that I didn't delete yet. This time I did
know what actions created the file. I like to play around a lot on my NT,
something I often do is to open all sorts of different files with Notepad
and then "read" through it to see if I can find something interesting. I do
this all the time, so this is most likely what created the file the first
time too. Anyway I started reading through the file, its full of
weird/interesting stuff, but the most interesting thing I discovered was my
Administrator dial-up password for DeMoN. The reason why I couldn't retrieve
it with "Find" Was because it was stored with a space between each letter,
something like: "P a z z z w 0 r d". It showed up in the following lines:


   R
  kM  *   C:\WINNT\System32\RAS\rasphone.pbk
\ D E V I C E \ N D I S W A N 3
DeMoN
c a z z z
 
   m
                               @  @           
   

ÿÿÿÿÿÿÿ           -¨çw          çwo'
       P a z z z w 0 r d


Note that its again close to my provider's name (DeMoN) and close to my
account name (cazzz). Only this time "c a z z z" is with spaces and "DeMoN"
is without them. Both my POP3 and dial-up password where located within the
first upper 10% of the file (still a HUGE load of data though). So now we
know that if we don't know any of those passwords we can probably find them
close to the account where our POP3 is located, and close to our account
name. Be sure you read the file from up to down, not from left to right,
use "Word Wrap" if needed. I can canfirm that in all four USER.DMP's I have
had sofar the passwords are close to the account or the account name.

You can cause a USER.BMP file to get created by doing the following:

Fill the "Newsgroups:" field in OutlookExpress with over 700 chars and press
"send". This will cause a buffer to overflow, it closes down OE and it
creates a USER.DMP file in your WINNT directory.

You can also close down the main OE window while you're viewing the source
of a message (Ctrl-F3 only). This will aslso close down OE and it creates a
USER.DMP file in your WINNT directory. Note that USER.DMP will be much
smaller with this one than if you try to create it with the "Newsgroups:"
overflow.

It might also be a good idea to clean out your Outlook
Express/Favourites/History/Cookie folders before testing this. You will
find all of their content back in USER.DMP, so it gets huge in a hurry.

Let me add this tiny, little & cute warning: Altough I'm starting to like
NT4 more and more (face it, GUI is what makes the world go round) I still
get a big kick out of it when I'm able to blow it up (especially with
homemade) vulnerabilities. I can do this because its my NT and my computer.
So before you start to test this on your corperate LAN.....Be sure to
backup, H4H4H4, better saphe than s0rry. Oh, and because of Windows' nasty
habbit to assume that if you open a file with Notepad all files of that type
turn into Notepad documents you may soon find your whole system32-folder
filled with Notepad-format files.

Solution: The solution to this problem is as simple as it is effective.
Just as Neil mentioned two years ago: Don't let IE/OE save your password
when you make a dial-up connection. And ofcourse you need a brain that
works, would you believe that there are still people out there that use the
same password more than once? Tsk tsk. Doing that will lead you and your
system straight into oblivion when mixed with this Bug. You can unsave your
password by choosing: Security/Unsave Password on your dial-up network
monitor.

You would help us out a lot if you would test this and mail the results to
the Bugtraq lists and/or to us:

Industrial_Strength () cazzz demon nl  (The Exploiters)

We will store the info in our private PCP/TNT archives, thanks.


Another fine Planet Cazzz Production/Advisory, in assosiation with The
Nations Top. We cannot be held responsible for your actions, but you can
try. Made in Holland. PCP/A #0004 (pr0ph)


We want to say hell0 to all the Crackers, the Hackers and the Phreax. We
want to say hell0 to all the people in this place. We want to say hell0 to
all the Sinners and 31337. We say hell0 to all the people in the world...




-No Strezzz Cazzz, Powered By UN0X

PCP, Phencyclidine: Causes a range of bizarre and violent effects.