The L0pht spends considerable time researching and documenting security flaws that exist in the internet infrastructure. These flaws may be in operating systems, networking protocols, or application software. So that system administrators, users, and software and hardware vendors may benefit from our knowledge, we share some of it with you.

The L0pht Advisories are meant as an archive of vulnerabilities that we have researched and made public. As part of the Advisories we will be publishing detailed tutorials and documentation about the techniques and tools used to uncover programming and protocol flaws.

Microsoft NT Passwords L0phtCrack 1.5 the Microsoft NT cracker L0phtcrack will recover passwords from Windows NT registries in a variety of fashions, including exhaustive keyspace attacks. mudge@l0pht.com weld@l0pht.com
L0phtCrack 1.5 info

L0phtCrack 1.5 exe

L0phtCrack 1.5 src

Microsoft NT Passwords L0phtCrack the Microsoft NT cracker L0phtcrack will recover passwords from Windows NT registries in a variety of fashions, including exhaustive keyspace attacks. mudge@l0pht.com weld@l0pht.com
Recently several NT password crackers have emerged. We offer this one with the belief that it offers some features and functionality that the current ones do not have.

L0phtcrack will recover passwords from Windows NT registries in a variety of fashions.

By feeding in the output from PWDump [by Jeremy Allison, jra@cygnus.com] and a dictionary file, L0phtcrack rev 1 will attempt to retrieve:

1) only the LANMAN plaintext password
2) only the NT Dialect MD4 plaintext password [see reasoning below]
3) Both the LANMAN and MD4 plaintext passwords (by deriving the MD4 password from the LANMAN output and running through up to 2 to the Nth power permutations)

Alternatively, L0phtcrack gives you the capability to _brute force_ the entire key space and recover ALL USER PASSWORDS up to 14 characters in length.

By going through the entire keyspace available, this program WILL RETURN ALL OF THE PLAINTEXT PASSWORDS (both LANMAN and MD4) up to and including 14 characters in length (note that the User Login Dialog box on NT machines limits the amount of characters that can be typed to 14 for the MD4 dialect. Future releases of this software will enable brute forcing of up to 16 characters for MD4).

L0phtcrack comes in three flavours:

1) A nice Windows GUI interface so you can point and click.
2) A CLI version for running in "DOS" windows.
3) Source code that is generic enough to build on most Un*x's.

Full L0phtCrack information.

L0phtCrack in zipped format.

L0phtCrack in tar gzipped format.

UPDATED 3/24/97
IIS 3.0 Windows NT Server 4.0 Users view the contents of .asp files which could contain sensitive information such as passwords. weld@l0pht.com
Microsofts IIS 3.0 supports server side scripting using "Active Server Pages" or .asp files. These files are meant to execute and not be visible to the user. These scripts may contain sensitive information such as SQL Server passwords. These files can be downloaded and viewed instead of executed by replacing '.' in a URL with a '%2e'.

There is a hot-fix for this problem available from Microsoft Dated Thu Feb 27 14:22:00 1997 This problem only exists in sites without the hot-fix that attempted a fix using using an ISAPI filter that failed to filter out '%2e' correctly.

IIS 3.0 .asp Vulnerability.

1/14/97 Dynamically linked SUID programs calling getopt(3) Solaris OS Users can exploit a problem in Solaris SUID programs that use getopt(3) to obtain elevated priveledges. mudge@l0pht.com
Scenario: A buffer overflow condition exists in the getopt routine. By supplying an invalid option and replacing argv[0] of a SUID program that uses the getopt(3) function with the appropriate address and machine code instructions, it is possible to overwrite the saved stack frame and upon return force the processor to execute user supplied instructions with elevated permissions.

Solaris Libc Vulnerability.

1/14/97 Filter Fresh Coffee Machines Users can gain access using a factory default backdoor. /dev/null@l0pht.com
Scenario: Suppose you don't work at Microsoft, Sun, or any of the companies that provide free hot caffinated beverages to their employees. It's a sad day when you find yourself at work (or scrounging around someone elses place of employment... I dunno, perhaps leaving a portable sniffing laptop up in the acoustic ceiling tiles) around 2am and the only coffee available is from a FILTER FRESH vending machine. It's even sadder when you are being asked to deposit .55 cents for an 8oz. cup of really poor java.

How to scam coffee from FILTER FRESH coffee vending machines.

updated 3/20/1997
Novell Netware 3.11 and lower / Netware 3.x Novell Netware 3.11 and lower / Netware 3.x Under Netware 3.11 and lower, users may create trojan horses by creating personal login scripts for users who do not already have one. Under all 3.x versions users may create or modify their own login scripts. tan@l0pht.com
Scenario: Users without a personal login script are vunerable to a trojan horse type attack. Any user logged into the server can create a personal login script for any user that does not already have one. A user may also create their own personal login script, circumventing any access control implemented through EXITing to menu systems or issuing commands from the personal login script. Under these senarios, one user may use another to launch an elevated privelidges attack. Alternately, a user may EXIT from the login script, circumventing any menu systems typically used to restrict access at the presentation level. The vunerability has been tested under Netware 3.x, is believed to exist in Netware 2.x (but is un-tested). Netware 4.x is planned to undergo examination.

Advisory Details

12/12/96 Domino 1.5 Sites running Domino 1.5 Users can edit or delete documents. Users can create documents under another users identity weld@l0pht.com
Lotus Domino is a web interface which allows users to access Lotus Notes databases via HTTP. Many Domino sites on the Internet have incorrect permissions granted to anonymous or registered users. Some Domino web sites have relied on the design of their web pages to keep users from accessing the commands to edit and delete documents. This can be bypassed by editing the URL for the Domino web site. Once an edit form is obtained, it is possible to enter data under the identity of another user. Server side scripting associated with that document will be executed.

Advisory Details

12/17/96 crontab FreeBSD, BSDI any local user can gain root priveledges mudge@l0pht.com
Due to a problem with the code in crontab, a buffer overflow exists that allows a user to overwrite the information in a saved stack frame. When the function returns, the saved frame is popped off of the stack and user supplied code can be executed.

Full L0pht Advisory

12/9/96 Modstat Systems with the *BSD distribution of modstat sgid kmem Users can gain group kmem permissions and thus read DES keys, passwords, and in certain situations panic the machine (you know, the standard things you can do with group kmem perms). mudge@l0pht.com
Modstat is sgid kmem which is really handy to become if you feel like looking through /dev/mem and /dev/kmem (gee, wonder what you might want to do that for ). Like just about everything else under the sun it has a buffer overflow problem. The problem exists in the dostat() routine where an arbitrary sized string is shoved into sbuf.name through a strcpy().

Advisory Details (source code)

The next day FreeBSD released a patch.

11/22/96 Kerb4 Sites running Kerb4 remote users can dictionary crack kerberos user accounts without needing to know the username or kerberos realm name mudge@l0pht.com
It has long been known that Kerberos 4 Ticket Granting Tickets are susceptible to dictionary attacks as they contain a constant string that can be used for compares (the string happens to be "krbtgt"). Thus it h as always been possible to; querry a Kerberos server, hand in a valid principle (user and kerberos realm), recieve a Ticket Granting Ticket, decrypt the DES ticket using dictionary words for the key, if the phrase "krbtgt" exists in the decrypted packet you have the correct key. This exact attack has been going on for some time in certain circles. In particular it seems to work quite well on dialup servers using kerberos for password authentication.

Advisory Details

Here is the complete toolkit used to expose the vulnerability in non-patched kerberos 4 servers.

A fix for CNS 96q1 from Mark Eichin .

9/96 Sendmail 8.7.5 All Any local user can gain root privileges mudge@l0pht.com
Due to a problem with the code in sendmail a buffer overflow condition exists that allows a user to overwrite the information in a saved stack frame. When the function returns, the saved frame is popped off of the stack and user code can be executed.

An exploit script will be made public upon the actual release of Sendmail 8.8 which fixes this particular exploitable code segment.

Full L0pht Advisory
CERT issued it's own advisory in response.

Mudge has written a paper entitled, Compromised - Buffer - Overflows, from Intel to SPARC Version 8, that discusses the problems of buffer overflows. There is a postscript version available as well as the Acrobat version.

If you want to learn more about the technical details of buffer overflows read this buffer overflow tutorial.

5/96 s/key All s/key can be cracked mudge@l0pht.com
MONKEY - the s/key cracker

MONKEY is a program that works similarly in nature to Alec Muffet's CRACK. In essence it takes the md4 value in either HEX or English words and compares it to a dictionary. Once the secret password is known, one time password schemes based off of it are useless as the appropriate response can be generated based upon the current challenge.

Full L0pht Advisory

4/96 test-cgi All Anyone can remotely inventory the files on a machine mudge@l0pht.com
On many web sites there exists a file called test-cgi (usually in the cgi-bin directory or somewhere similar). There is a problem with many of these test-cgi files.

Full L0pht Advisory

Copyright © 1995,1996 LHI, All Rights Reserved