Re: How the MS Critical Update Notification works...

[DReed () AWD COM (Reed, David)]

fellow 'noids,

background:

since all of the major security flaws in windows nt 4.0 have been discovered
(who am i kidding? ;-), i'd like to point out a minor one... by way of a
question: "should a secured workstation's 'unlock workstation' dialog be
permitted to interact with the desktop?"

apparently the windows nt logon dialog, including the "unlock workstation"
dialog, contains two ole container/object fields --> the username field and
the password field.  both fields will respond to the standard CTRL+X,
CTRL+C, CTRL+V shortcut keys... at the console and via remote control (i
tested sms with key-pass-thru on, but i'm assuming timbuk and others work as
well).

anyone can lock NT4sp4 computer and otherwise believe it to be reasonably
secure and some users even set their screensavers to password protected
(wow!), with the assumption that it is completely secure, however at least
part of nearly ANY clipboard contents are potentially available to someone
with physical access to the box...

i'm not sure why the logon dialog would need to be an ole
server/recipient/whatever-programmers-call-it-these-days and interact with
the desktop... but i'll go so far as to say IT SHOULDN'T!  i haven't tried
to flood it's buffer, yet, however it's held as much as this entire message
(sans CRLFs) without flinching.  i wonder what happens if a meg or two of
data, nah...  see "worst case" below.

while not a huge security hole (physical security is almost everything!), it
is "worrisome".  my initial testing shows that most types of ole objects
(obviously) aren't available, so the nudie pics the boss was cut-n-pasting
won't show up this way, but text or objects immediately convertible to text
are (rtf, html, etc), such as sensitive passwords, review details, salary
data, etc --> up to the first carriage return.


'sploit:

1. at any locked nt4 console (or via remote control) give the three fingered
salute
2. either shift+tab to highlight the username or use the mouse
3. ctrl+v to paste the contents of the clipboard over the username

this makes the contents of the clipboard visible, up to the first CRLF.


worst case:

you have your password, or the administrator's, on the clipboard for some
stupid reason and a wily cracker pastes it into the password field and gains
access to your desktop...  (i tried this, it actually works.)


keep your clipboards clean...

# David Reed   (dreed () awd com)
# 713.787.1651 (officex)
# 800.705.3861 (a-pager)

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1

GIT$/GG/GSS d?(++) s-:+ a?(--) C++++$ W+++$ w++++$ UL+>+++$ P>++$ L+>+++$
E--- N+(++) O? !M !V PS---(----) PE+++ Y++ PGP++ t---(+) 5++(+++) X++++ R+++
tv-- b++++ DI++++ D(+) G e+++ h---(*) r+++ y++++ K? o?

------END GEEK CODE BLOCK------