From: gorkab@sanchez.com (Brian Gorka)
Date: Wed, 17 Jan 1996 23:11:33 +0800
To: "'Cypherpunks Mailing List'" <cypherpunks@toad.com>
Subject: RE: MS story
Message-ID: <01BAE4C0.F4B0EF40@loki>
MIME-Version: 1.0
Content-Type: text/plain


From: 	Rich Graves[SMTP:llurch@networking.stanford.edu]
Sent: 	Tuesday, January 16, 1996 2:00 PM
To: 	Simson L. Garfinkel
Subject: 	Re: MS story

   Peter explained a bit about what he *could have* done when he provided
   the source code, and Frank Andrew Stevenson also had some ideas. The
   people below are working on an independent hack that will pop up stored
   passwords for Windows 95, again whether you have the 128-bit RC4 patch
   applied, and have turned off persistent password caching to disk, or
   not. Brian Gorka described the exploit they're working on (but have not
   finished, no) on in a message to cypherpunks:

A friend and I discovered this 'feature' accidentally. (now that I checked 
c2's Hack MSoft page I see someone else exploited it in WFW)  Using 
heapwalker on WFW, we noticed the password cache was not encrypted.  I 
wanted an official C2 I hacked Micro$oft Tee-Shirt and we wondered if this 
was still true after the Windows 95 password cache 'fix'.  We fired up h  
eapwalker and found nothing.  It won't let you look in that area.  BUT, 
After firing up SoftICE for Windows 95, we found the area in less than 5 
minutes.  It is in the C000 0000 memory area (the system area), and the 
password information is ALWAYS a constant offset from some text. (IFSMGR I 
think)  Dumping it out is pretty easy, and as soon as we get some free 
time, the rest of the code will flow, we have something in the way of 
output, but it's not pretty.