FW: Your message to NTBUGTRAQ
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
FW: Your message to NTBUGTRAQ
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: FW: Your message to NTBUGTRAQ
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Thu, 19 Mar 1998 09:13:44 -0500
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Forwarded from mdolphinpobox.com, Martin Dolphin, please direct any
responses to him, and/or the list, not me.
-----Original Message-----
From: martin Dolphin [mailto:mdolphinpobox.com]
Sent: Thursday, March 19, 1998 5:12 AM
To: Russ
Subject: RE: Your message to NTBUGTRAQ
THE PROBLEM:
Windows NT allows users to save their RAS credentials by using the 'Save
Password' checkbox when making a dial-up connection. Enumeration of
these
credentials was noted by Paul Aston, in his submission to NTBugtraq on
August 9th, 1997. Credentials saved in this manner are stored in the
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0 registry
key and can be decrypted using the LSA secrets code, if the users has
ADMINISTRATOR privilege. If a user does not check the 'save password'
checkbox to prevent the password from being stored, RAS will still save
the
successful connection information including the password in the
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasDialParams!SID#0 registry
key
entry which can also be decrypted using the LSA secrets code, if the
user
has ADMINISTRATOR privileges.
OUR REASONING FOR THIS BEHAVIOR:
We think that this behavior only happens since Windows NT can
re-authenticate when the server or line conditions drops a dial-up line.
Windows NT needs to maintain the RAS credentials for re-authenticating
and
should maintain them in temporary protected memory. We believe that
Windows NT uses this key to maintain the RAS credentials, and does not
delete them after the dial-up session is terminated, as Windows NT will
ask for the users credentials when the next session is started. If you
tell Windows NT to not save your password it should not store the
password
after the dial-up session is finished , even if the password is stored
in a
protected area of the registry.
IMPACT:
The following scenarios are some potential areas where we think this
behavior could give access to username and password information that
couldn't be gained from the NT SAM.
1) Users with ISP connections that have a password not matching their
Windows NT Passwords, as this password is different it would not be
normally stored in the NT SAM.
2) Users may have RAS/PTPP access to domains other than the domain that
the
user is a member of, also not stored in the SAM.
3) If an Administrator attempting to troubleshoot or set-up a users
workstation needs to dial in from the workstation and doesn't click the
'save password' then he/she should be able to assume that his password
will not be saved on that users workstation.
4) Windows NT 'public access' machines, such as the machines available
at
training classes, airports, etc..
If the user can get local administrator access to the machines in any of
these scenarios, they may be able to get a domain administrator
username
and password. If a user is able to obtain another users credentials
they
could use this
REPRODUCTION:
Reproduced on three Windows NT 4.0 workstations, and one Windows NT 4.0
Server. Log on as a user, identify the SID of the user using getsid or
any
other means. Use the LSA secrets code to dump the RasDialParams and
RasCredentials for the user. Create a new dial up networking connection
DONOT save the password, after successfully connecting to the remote end
re-dump the RasDialParams and RasCredentails entries. The new
successful
connection will be saved in the RasDialParams value although you did not
check the 'save password' box.
Microsoft was notified of this a week ago.
Lisa O'Connor
Martin Dolphin
Joe Greene
Eric Schultze
