Win9x Legacy Credential Caching
Reported November 29, 1999 by
Microsoft
VERSIONS AFFECTED
  • Microsoft Windows 95 and 98 (excluding Win98 2nd Edition)

DESCRIPTION

Microsoft reported a vulnerability in its Windows 9x operating systems caused by a legacy mechanism for caching network security credentials. The vulnerability could allow a user"s plaintext network password to be retrieved from the cache.

According to the company bulletin, "Windows for Workgroups(r) provided a RAM-based caching mechanism that cached the user"s plaintext network credentials for use by real-mode command-line networking utilities."

"In Windows for Workgroups, networking commands were performed via command-line utilities like the "NET" command. The first time a networking command was used, the user was prompted for his or her network password, and it was stored in RAM in plaintext. Subsequent networking commands would check to see if the password was available and, if so, use the RAM-based one rather than re-prompting the user for it."

"Part of this mechanism was carried forward into the Windows 95 and 98 designs, even though it is not used by either. A malicious user could query this mechanism to obtain the network credentials of the last person to use the machine for network access, as long as they had physical access to the machine and it had not been rebooted since the last networking session."

VENDOR RESPONSE

Microsoft has released a bulletin, FAQ, Support Online article Q168115, and patches for Windows 95 and Windows 98 First Edition.

CREDITS
Discovered by Microsoft