[NTSEC] NT Displays Plain-Text Netware Passwords (fwd)

Ray Arachelian sunder at brainlink.com
Thu Apr 24 10:31:55 PDT 1997 



=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    | "If  you're  gonna die,  die  with your|./|\.
..\|/..|sunder at sundernet.com|boots on;  If you're  gonna  try,  just |/\|/\
<--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/
../|\..| "A toast to Odin,  |you're gonna die, you're gonna die!"    |.\|/.
.+.v.+.|God of screwdrivers"|  --Iron Maiden "Die With Your Boots on"|.....
======================== http://www.sundernet.com =========================
  For with those which eternal lie, with strange eons even death may die.


---------- Forwarded message ----------
Date: Thu, 24 Apr 1997 01:37:49 -0500
From: Patrick Hayden <patrick.hayden at ibm.net>
To: ntsecurity at iss.net
Subject: [NTSEC] NT Displays Plain-Text Netware Passwords

Windows NT 4.0, with Microsoft's Client Services for Netware, or
Novell's IntraNetware Client for Windows NT, writes plain-text user-id
and password information to PAGEFILE.SYS.  The user-id and password
apply to Netware, however, users commonly use the same logon information
for both NT and Netware.  It is possible to then recover the plain-text
information by using a disk editor.

Tests have been performed  (with more pending) on these systems:

Windows NT Workstation 4.0 w/SP1 and IntraNetware Client for NT (970214)
     Pent. 133 Laptop  24MB RAM  50MB PAGEFILE.SYS
Windows NT Workstation 4.0 w/SP1 and Microsoft Client Services for
Netware
     Dual Pent 166   64MB RAM  80MB PAGEFILE.SYS
Novell Netware 4.11 Server

1.  Set /MAXMEM=12 in BOOT.INI so as to force swapping.
2.  Load NT; Authenticate to NT and Netware (I used the same ID and
Password for both systems.); Verify connection by mapping a drive.
3.  To ensure that sufficient swapping takes place, run a large program
(this forces the user-id and password information stored in RAM to be
placed into PAGEFILE.SYS.)
4.  Exit NT; Boot to DOS; diskedit PAGEFILE.SYS
5.  Search for one of the following strings (do NOT include the ""
items):

 IntraNetware Client:   
     NWUserName="user-id"
     WlMprNotifyPassword="password"
     "UserName"    (if the username is alone, the password will follow
very closely)

 Client Services for Netware
     nwcs"password"    (the password is all CAPS and will immediately
follow nwcs)

In a "real-life" environment, most likely there will be enough swapping
on the system that setting the /MAXMEM switch will be unnecessary.  The
switch is only to help confirm that this hole exits.

If anyone has any knowledge of this, please post it to the list.

Patrick Hayden
Security Consultant – Ernst & Young, LLP
patrick.hayden at ibm.net

More information about the cypherpunks-legacy mailing list