NT Versions affected:

3.5, 3.51, 4.0

Problem:

The registry includes a default entry for <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa> which has a value <Notification Packages: REG_MULTI_SZ: FPNWCLNT>. This is a DLL which normally exists only in an Netware environment. A false FPNWCLNT.DLL can be stored in the %systemroot%\system32 directory which collects passwords in plain text.

Comple the below C code and .DEF file into a DLL called FPNWCLNT.DLL and copy it to %systemroot%\system32.

Reboot the machine. Password changes and new user creation are funnelled through this DLL with the following information, Username, Plaintext password, RID (relative domain id).

Install on the Primary domain controller for an NT domain, and it will capture all users passwords in plain text.

Exploit code removed at author's request.

Fix:

The password sniffing DLL is placed as %SYSTEMROOT%\SYSTEM32\FPNWCLNT.DLL which is present in a netware environment, but otherwise does not exist. The registry by default does have an entry which points to this DLL.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

has an entry

Notification Packages: REG_MULTI_SZ: FPNWCLNT.

Make sure you remove this entry and protect this location in the registry to read-only.