Re: NT Screen Saver Password Protect Bug
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: NT Screen Saver Password Protect Bug
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: Re: NT Screen Saver Password Protect Bug
- From: Andrew Baker <BakerASUltraTech-llc.com>
- Date: Wed, 25 Mar 1998 01:13:13 -0500
- In-Reply-To: <199803250439.UAA15149mail1.netlimited.net>
- Reply-To: BakerASUltraTech-llc.com
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
It seems to me that the problem could potentially be alleviated by having
the screen saver file opened exclusively with write privileges (or some
other solution which prevents the .scr file in use from being renamed).
If I log on to the workstation of any user, no matter how privileged they
are, they should not be allowed to become *me*, particularly without my
being aware of it.
==========================================
Andrew S. Baker, Network Administrator
CastleNet LLC (http://www.thebeast.com)
Work: mailto:ABakerthebeast.com
Home: mailto:BakerASUltraTech-llc.com
==========================================
Please use these excellent Win32 resources:
- http://www.savilltech.com
- http://www.ntinternals.com
- http://www.softseek.com
- http://www.winfiles.com
- http://www.bhs.com
"The ultimate key to succeeding at anything is to start doing something."
-----Original Message-----
From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Paul Leach
Sent: Tuesday, March 24, 1998 9:28 PM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Screen Saver Password Protect Bug
> ----------
> From: Russ[SMTP:Russ.CooperRC.ON.CA]
> Reply To: Russ
> Sent: Tuesday, March 24, 1998 6:35 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Re: NT Screen Saver Password Protect Bug
>
> There have been a number of messages submitted pointing out that to
> properly lock your workstation/server when away from it, you should use
> "Lock Workstation", and not a screen saver (of any kind from any
> company).
>
> This is the best advice, but Christopher's message about how easily the
> password mechanism in screen savers can be by-passed should not be
> discounted, and instead ear-marked as yet another data point on the list
> of securing an NT box. If screen savers with password features are going
> to be shipped with NT, then they should fail securely, rather than fail
> wide open, IMO. This was, I believe, Christopher's point.
>
And just how do they fail "securely"? Not let anyone in (require a hard
reboot)? Only let in local admins? (Get the joke?)
> As to whether or not this is yet another example of what an Admin can
> do, Christopher provides one example how someone not authorized to go
> through the screen saver password screen, can, and thereby become logged
> on as a higher privileged user. This is by no means the only way, but it
> is, again, another way.
>
The supposedly unauthorized person in Christophers example was an admin of
the workstation being attacked.
The mistake was the Domain admin thinking that the machine was safe to use
AT ALL. The local admin could have installed a GINA (or a trojan
screensaver) to steal his password, for crying out loud.
There is no fix for this. We can't even write code to warn the Domain admin
they're loggin on to an insecure machine -- the rogue local admin would
disable or replace it.
Paul
===================================================
"Preparation is so much better than hindsight..."
===================================================
