1996-01-16 - Re: Need confirmation of Win95 password encryption back door

Header Data

From: gorkab@sanchez.com (Brian Gorka)
To: “‘cypherpunks@toad.com>
Message Hash: a4114f468e3d6c3da0d1a38d1b7dab92577510b9c1523bc25a8bba35a37ea73e
Message ID: <01BAE3EF.2418BD80@loki>
Reply To: N/A
UTC Datetime: 1996-01-16 20:09:16 UTC
Raw Date: Wed, 17 Jan 1996 04:09:16 +0800

Raw message

From: gorkab@sanchez.com (Brian Gorka)
Date: Wed, 17 Jan 1996 04:09:16 +0800
To: "'cypherpunks@toad.com>
Subject: Re: Need confirmation of Win95 password encryption back door
Message-ID: <01BAE3EF.2418BD80@loki>
MIME-Version: 1.0
Content-Type: text/plain

A friend and I were working on an exploit of this.  It is true.  We were 
not working on a grepper, but we found the offset where the passwords 
reside and were going  to dump them into a dialog box.  If you are planning 
to exploit this, we will stop our previous efforts.
From: 	Rich Graves[SMTP:llurch@networking.stanford.edu]
Sent: 	Monday, January 15, 1996 5:20 PM
To: 	cypherpunks@toad.com
Cc: 	frank@funcom.no; pgut01@cs.auckland.ac.nz
Subject: 	Need confirmation of Win95 password encryption back door


A Major Media Outlet requires confirmation that Windows 95, to facilitate
its automatic reconnect feature for sleeping laptops and temporary network
outages, caches all network passwords (NetWare, NT, UNIX running Samba,
SLIP/PPP dialup) in unprotected memory in clear text, whether you've
disabled persistent "password caching" to disk and applied the December
14th 128-bit RC4 .PWL patch, or not. There seems to be no way to turn
this off.

The idea, of course, is that a simple trojan horse could do whatever it
wanted with this information.

We know that this vulnerability exists in Windows for Workgroups, and
Peter wrote a little demo (on hackmsoft page below, without source), but
the APIs appear to have changed in Win95.

So, anyone have Win95 and some time to kill, or can anyone recommend a
good DOS/Windows RAM grepper?

- -rich@c2.org

 $ Mon Jan 15 22:17:10 PST 1996 $
 $ From llurch@networking.stanford.edu to cypherpunks@toad.com $

Version: 2.6.2


Brian Gorka
Key fingerprint =  ED 7D 78 7E 95 E8 05 01  27 01 A1 74 FA 4B 86 53