OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: NT Screen Saver Password Protect Bug
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NT Screen Saver Password Protect Bug

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: NT Screen Saver Password Protect Bug
  • From: Paul Leach <paulleMICROSOFT.COM>
  • Date: Fri, 27 Mar 1998 11:49:14 -0800
  • Comments: To: Stewart Berman <Stewart.BermanBANKERSTRUST.COM>
  • Reply-To: Paul Leach <paulleMICROSOFT.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
The admin can always get the user's password without leaving a trace. He
will change the GINA (that's the login code that you type your password
into) to capture the users password. Then there will be no trace - he will
use the user's real password.

We provide instructions and samples on how to write GINAs, including ones
that do just a little work (like saving the password) and leave everything
else to the standard GINA.

Paul

> ----------
> From:         Stewart Berman[SMTP:Stewart.BermanBANKERSTRUST.COM]
> Reply To:     Stewart Berman
> Sent:         Thursday, March 26, 1998 8:05 AM
> To:   NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject:      Re: NT Screen Saver Password Protect Bug
>
> There appears to be a problem here that is being overlooked.  The ability
> of an
> admin to use someone else's identity without leaving any traces.
>
> Admin's have always had the ability to reset a user's password and logon
> as
> that user.  However, the user would always know that their password was
> changed.  IOW, their was a trace left.  In addition, the admin would not
> have
> passwords for sensitive applications.
>
> Breaking into to a logged on user by renaming the screen saver allows an
> admin
> to assume the user's identity without leaving a trace -- assuming they
> renamed
> the screen save back to its original name later.
>
> Furthermore, the ability to get into an active session increases the risk
> since
> the user could have sensitive applications (with their own security
> checks)
> running.  It is not unusual for a user to rely on a screen saver to avoid
> having to close and re-open a half-dozen applications every time they
> leave
> their desk -- including, unfortunately, overnight.
>
> Stu
>