Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Win2KSecurity Advice> 1999-q4

NTSecAdvice Archives: Re: Caching of passwords revealed after i

Re: Caching of passwords revealed after installing SP6

Noël, Richard (richard.noelGETRONICS.COM)
Mon, 1 Nov 1999 08:41:11 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Chris: "Re: RFP9906 - Services.exe DoS in NT 4 (RFPoison)"
Previous message: .rain.forest.puppy.: "RFP9906 - Services.exe DoS in NT 4 (RFPoison)"
Next in thread: Steve Manzuik: "Re: Caching of passwords revealed after installing SP6"

Thanks for the info, Ian. I guess the question remains however, if only in
my mind, whether the cached credentials on an unpatched SP5 system are
accessible to just anyone having physical access to the machine. And
certainly the behavior after installing SP6 is a big concern - anyone having
physical access to the machine can build a tunnel without having credentials
themselves or even having to guess the credentials of the previous user.

It seems (to me) that out of consideration of the pre-existing vulnerability
Microsoft should have sacrificed convenience and cleared the credential
cache as part of installing SP6.

Richard

-----Original Message-----
From: Ian Vaudrey [mailto:IVaudreyEXCHANGE.TALK-RADIO.CO.UK]
Sent: Monday, November 01, 1999 1:49 AM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Re: Caching of passwords revealed after installing SP6

Caching passwords, even though that option has never been selected, is a
known RAS/RRAS 'feature'. A hotfix was released for it back in May and has
been incorporated into SP6, you need to 'unsave password' after installing
either of these.

See http://support.microsoft.com/support/kb/articles/Q230/6/81.ASP and
http://support.microsoft.com/support/kb/articles/Q233/3/03.ASP

- Ian

> -----Original Message-----
> From: "Noël, Richard" [mailto:noelWANG.COM]
> Sent: 31 October 1999 22:01
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: Caching of passwords revealed after installing SP6
>
>
> I found something disturbing today. I installed SP6 on an
> NT4 SP5 server
> that I've been using as a PPTP client for the past couple of
> years. After
> installing SP6, I found that the setting for saving passwords
> for at least
> PPTP dial-up has been enabled which is a feature I never,
> never use. While
> this is bad, the disturbing part revealed by installing SP6
> is that even
> though I never used the "Save password" feature with PPTP, my
> password was
> in fact being cached. I know this because the first four PPTP dial-up
> connections I tried (i.e. four different PPTP servers) all immediately
> connected and authenticated without prompting me for credentials. Two
> others failed to connect immediately because the cached
> password did not
> match the current password for my domain account.
>
> If any of you get a chance, could you pls verify this behavior.
>
> Thanks,
> Richard
>

Next message: Chris: "Re: RFP9906 - Services.exe DoS in NT 4 (RFPoison)"
Previous message: .rain.forest.puppy.: "RFP9906 - Services.exe DoS in NT 4 (RFPoison)"
Next in thread: Steve Manzuik: "Re: Caching of passwords revealed after installing SP6"

This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 08:31:13 CST