Win9x Legacy Credential Caching
Reported November 29, 1999 by Microsoft
Microsoft reported a vulnerability in its Windows 9x operating systems caused by a legacy mechanism for caching network security credentials. The vulnerability could allow a user"s plaintext network password to be retrieved from the cache.
According to the company bulletin, "Windows for Workgroups(r) provided a RAM-based caching mechanism that cached the user"s plaintext network credentials for use by real-mode command-line networking utilities."
"In Windows for Workgroups, networking commands were performed via command-line utilities like the "NET" command. The first time a networking command was used, the user was prompted for his or her network password, and it was stored in RAM in plaintext. Subsequent networking commands would check to see if the password was available and, if so, use the RAM-based one rather than re-prompting the user for it."
"Part of this mechanism was carried forward into the
Windows 95 and 98 designs, even though it is not used by either. A malicious user could
query this mechanism to obtain the network credentials of the last person to use the
machine for network access, as long as they had physical access to the machine and it had
not been rebooted since the last networking session."
Discovered by Microsoft