Win 9x Novell client security issue
Zimm...@elps.k12.mi.us
I have an Student that appearantly has a program that will read passwords
from any user that has logged into a machine. This has not been verified.
I do know there is a program that will read a users cached password and
display that. I have verified it.
I will be meeting with the student that has this program here in the near
future. But I am concerned about the program being able to read passwords
across the network. This was not verified by myself but was witnessed by
another user.
Our enviroment is that of a K-12 school district running 98SE machines.
Students realy like to test their hacking skills.
Has anyone heard about this software and direct me to it. The Software
that reads Was featured in a dateline or similar program dealing with
network security about 6 months ago.
Edison Ortiz
> from any user that has logged into a machine.
The Novell Client does not log the user into the machine. The Novell Client
logs the user to a NetWare server. What you are talking about is the .pwl
file which can be easily cracked with many tools. I won't be posting links
to any such tools and the only recommendation is to search google on that.
--
Edison Ortiz
Novell Product Support Forum SysOp
(No Email Support, Thanks !)
zimm...@elps.k12.mi.us
password.
I am familiar with the programs that read the PWL file, and am not refering
to those.
The utility that I did verify actually read the Novell Client's cached
password and displayed it. On the particular machine I deleted all PWL
files, in DOS, to make sure that it wasn't reading those. The particular
program also read my Groupwise password even though I was not logged into
groupwise.
This particular program is a minor security risk as it will only read the
user specific information for the individual logged in to the specific
machine it is run on.
However the other program that I have not verified appearently read users
and passwords across the network. some had never logged into the particular
machine.
Now I have not verified this and intend too when I find out the program
that was used. But I am seeing if anyone has heard of this I meet with the
student that has the utility.
Edison Ortiz
I'll ask Novell to confirm how passwords are stored in Windows9x.
Edison Ortiz
Here is Novell's reply:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The places where the password is stored in memory are encrypted and
un-crypted each time for use. I don't recall that there are any such
places if the "cache NetWare password" option is turned off in the
Novell 9x client properties.
So the alleged utility may have simply found a place other than this
where the password is saved & not encrypted, or may have found a
manner in which to decrypt the cached password.
Neither of which I would consider particularly likely, since indeed it
would be far more common to simply read the Windows password knowing
its many times the same as the NetWare password.
Although the poster is specifically disclaiming that, they don't sound
like they're immune to just having wool pulled over their eyes by
whomever is "in control" of this utility.
(i.e. The idea that they've specifically made all these tests &
conditions, yet aren't even in posession of the utility, seems a
little dubious. At least enough so to reserve any real concern or
judgement until after such a utility has actually been produced.)
zimm...@elps.k12.mi.us
the software.
The windows PWL file was removed deleted from the machine so no windows
passwords would be accessable to utility.
The utility was run.
The utility told me following information
My username and context.
My password.
My groupwise password
The context of the Post office I belong too.
Loged out/ rebooted the machine
Logged in as a different user
Canceled the Windows password screen so no windows password.
Reran the utility
The utility gave me the following information
Username and Context
Password
Being that the account did not have Groupwise it did not show Groupwise
information.
I do admit that the utility that allegedly read passwords from across the
network, is not in my hands and cannot at this time verify it. The person
that did witness this is a reliable person. and as such I am in the process
of verifying.
However the First utility I have personally verified and would think that
Novell would not be so quick to dismiss this as someone haveing the wool
pulled over there eyes. Expesially since the software was discussed on and
demonstrated by Security consultants on national news.
Edison Ortiz
Ok, I'll forward your concerns over to Novell.
Edison Ortiz
I'm afraid that in order to proceed with this further, you will
have to open an incident. There is a lot of information from you
and Novell that need to be discussed in a private (one-to-one)
manner.
Kai Reichert
because the password is never transfered over the network.
Anyway, we would need to know which tool that is. Otherwise nobody can
verify or even fix potential security problems.
If you wish you can open an incident, mail it to any of the sysops or
upload it zipped to ftp.novell.com/incoming and give us the name of the
uploaded file.
--
Regards, Kai Reichert
Novell Support Forums Sysop
There are two major products to come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence.
zimm...@elps.k12.mi.us
utility was reading the PWL files and the person thought it was showing
passwords but it was not.
The first utility I do have and will send it to a sysop.
Now for the stupid question, as I have never done this where can I get a
sysop e-mail address? I don't see them listed. I am Web accessing the
forum not NNTP.
Kai Reichert
--
Regards, Kai Reichert
Novell Support Forums Sysop
C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg. - Bjarne 'Stumpy' Stroustrup