-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.25                        AUSCERT Advisory
		   Windows95 Network Password Vulnerability
                                  3 June 1997

Last Revised: --

- ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the way
that network passwords are stored in memory by Microsoft Windows95 systems.
This vulnerability may allow the unauthorised access to the plain text
password for the currently logged in user.  This can lead to unauthorised
access to the user's network account.

Microsoft has released a security bulletin, containing patch information,
addressing the vulnerability.  These patches encrypt the passwords stored
in memory.  The security bulletin and patches are described in this
advisory.

- ---------------------------------------------------------------------------

1.  Description

    A vulnerability exists in the way that network passwords are stored
    in memory by Microsoft Windows95 systems.  This vulnerability may
    allow unauthorised access to the plain text password for the currently
    logged in user.  Although the password is encrypted before sending it
    over a network, it is stored unencrypted in the system's memory.
    Access to the password for the currently logged in user is possible
    through careful examination of memory structures.  It is possible to
    develop a program to simplify this attack.

    To obtain the password currently stored in memory, a program must be
    executed on the system.  This can be done by either gaining physical
    access to the computer or misleading the user into executing the
    program.  These actions must be performed while the network user is
    still logged in.

    The user can be misled into running a malicious program by downloading
    untrusted information from the Internet, or by some other means such
    as embedding the malicious program in a Macro contained in a file that
    gets executed when the file is opened by the user.  This file may be
    sent to the user as an attachment to an electronic mail message.

2.  Impact

    Unauthorised access may be gained to the network password of the user
    logged in to a Windows95 system.

    This can lead to unauthorised access to the user's network account
    using the compromised password.

3.  Workarounds/Solution

    Official vendor patches have been released by Microsoft which address
    this vulnerability (Section 3.1).  AUSCERT recommends that sites apply
    the patches given in this bulletin immediately.

3.1 Install vendor patches

    Microsoft has released a security bulletin, containing patch
    information, addressing the vulnerability described in this advisory.
    This bulletin can be located on their security page on Microsoft's
    Web site at http://www.microsoft.com/security/ and is titled "Microsoft
    Windows 95 Update to Enhance Password Security".

    Additionally, a Microsoft Knowledge Base article has been developed
    by Microsoft detailing more information about this problem and
    associated fixes.  It can be located by going to Microsoft Australia's
    home page (http://www.microsoft.com.au) and following the links to
    "Support", and then to "Knowledge Base".  The specific Knowledge Base
    article to search for is Q165402.  This article can also be referenced
    as http://www.microsoft.com/kb/articles/q165/4/02.htm

    Both the bulletin and the Knowledge Base article contain pointers to
    patches that can be downloaded.

    AUSCERT recommends that sites apply the patches given in this bulletin
    immediately.

4.  Additional Measures

    To gain access to the user's password, the user must first be logged
    in to the network from a Windows95 system using their account and
    password.  The password is obtained by either someone running a program
    on the system, or a program must be executed by the user or on the
    user's behalf.  Executing a program can be done by either gaining
    physical access to the system or misleading the user into running an
    untrusted program.  The user can be misled into running a malicious
    program by downloading untrusted information from the Internet, or by
    some other means such as embedding the malicious program in a Macro
    contained in a file that gets executed when the file is opened by the
    user.  This file may be sent to the user as an attachment to an
    electronic mail message.

    Educating users can address each of these scenarios.  The ability to
    exploit this vulnerability can be reduced if unauthorised access to
    the system, while the user is still logged in, can be minimised or
    eliminated.  One way this can be achieved is if each user logs off
    from the network any time they leave the computer for reasonable
    periods of time, or runs a password protected screen saver.

    Users should also be educated not to run untrusted programs that have
    been given to them on disk or via Email, or downloaded from a network.
    Email attachments should be scanned for any unauthorised macros.

- ---------------------------------------------------------------------------
AUSCERT thanks the Australian Bureau of Statistics and Microsoft for their
assistance and response in the preparation of this Advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM5PWMyh9+71yA2DNAQHCuAP7BWLww8EpTjAdKlZjuRsnykeiGwZwaof3
GRnvsc5i2BnQ/uYBTqOAds5MaajN4GHQXMUY0hIPvPjHsGc26GD9CwHsLrEONXBD
zjwG5acwFW6S4REWZcqMkvISIZzOlvbhYdV3pmPpDDSf7Hv1FpsH0zQu2aaDmo5W
KYmabfKHXGw=
=iiO8
-----END PGP SIGNATURE-----