Password cache files accessible

win95-nbsmbpwl (71)

High Risk

Description:

Windows 95, Windows for Workgroups, and DOS network clients cache passwords on the hard drive in files with the .PWL file extension. These password cache files are weakly encrypted, easily broken, and should not be made accessible on a shared file system. In updated or patched versions of Windows 95, the encryption is stronger.

Password cache files are kept in known locations and contain passwords for every service accessed from the host. An attacker who obtains a copy of password cache files can access all of the Internet services available through the passwords in that file.

Consequences:

Gain Privileges

Remedy:

Turn off password caching and file sharing on the host if it is not needed, or restrict sharing to parts of the drive that are necessary to be shared. Apply the latest service patches for your operating system.

Windows 95: Disable password caching and remove file and print sharing. Install Windows 95 OEM Service Release 1, or apply the Mspwlupd.exe fix from Microsoft (See MSKB Article Q132807 in the References).

To disable password caching, use the Registry Editor to set the DisablePwdCaching registry value:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

1. From the Windows Start menu, select Run.
2. Type regedit and click OK to open the Registry Editor.
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ Network\.
4. From the Edit menu, select New DWORD value.
5. Type the value name as DisablePwdCaching.
6. Change the Value Data to 1 and click OK.

To remove file and print sharing from Windows 95:

1. Open the Network control panel.
2. From Configuration, click File and Print Sharing.
3. Disable 'I want to be able to give others access to my files.' and disable 'I want to be able to allow others to print to my printer(s).'
4. Click OK and restart the computer. The Windows 95 computer no longer allows shares to exist or be created.

Upgrade to Windows 95 OEM Service Release 1 or install the Mspwlupd.exe update as described in MSKB Article Q132807 (see references):

1. Download the Mspwlupd.exe file from the Microsoft Download Center to an empty folder.
2. In My Computer or Windows Explorer, double-click the Mspwlupd.exe file you downloaded in step 1.
3. Follow the instructions on the screen.

For Windows NT:

Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows NT Service Packs Web page. See References.

— AND —

Remove unnecessary shares. Choose one of these options:

Remove the share from a local computer:

1. From the local computer, open Windows NT Explorer.
2. Navigate to the shared folder.
3. Right-click the shared folder name and select Sharing to display the Properties dialog box.
4. To disallow access to all users, select the Not Shared check box.
5. Click OK.

Remove the share from a remote computer:

1. From a remote computer, open the Server Manager.
2. Select the host name from the list.
3. From the Computer menu, select Shared Directories to display the Shared Directories dialog box.
4. Select the SMB share.
5. Click Stop Sharing.
6. Click OK.

Remove the share from the command line:

• From a command prompt, type: net share sharename /delete.

References:

• BugTraq Mailing List, Tue, 20 Jan 1998 18:38:31 -0600: How to recover private keys for various Microsoft products.
• BugTraq Mailing List, Tue, 5 Dec 1995 12:57:34 -0800: Cracked: WINDOWS.PWL.
• Microsoft Knowledge Base Article 132807: Enhanced Encryption for Windows 95 Password Cache.
• Microsoft Knowledge Base Article 137826: Disabling Password Caching and Changing Passwords.
• Microsoft Knowledge Base Article 140557: Microsoft Windows 95 Password List Security Issue.
• CVE-1999-1104: Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords.

Platforms Affected:

• Microsoft Windows 3.11
• Microsoft Windows 95
• Microsoft Windows 98
• Microsoft Windows 98SE
• Microsoft Windows Me

Reported:

May 01, 1996

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page