Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Windows XP Home LSA secrets stores XP login passphrase in plain text

From: Markus Jansson <seemyhomepage () katsokotisivuilta ni>
Date: Fri, 05 May 2006 18:25:25 +0300
This again proves the reason to do some hacking of your own system, things like these would otherwise go unnoticed...
OK, I setup Windows XP Home, did the regular securing up (the much you can do with Home edition), like for example setting that users must use passwords and usernames to sign in, use control+alt+delete to sign in, disabled automatic login to Windows etc. etc. Rebooted, changed my account X passphrase, then rebooted again. Then I signed in to other admin level account (account Y) and ran Cain & Abel and used it to dump LSA secrets...wellwellwell...Windows stores my account X Windows XP login passphrase in plaintext in DefaultPassword field!
My Windows XP should NOT store any Windows passphrases in clear text on the hdd, but only stores the passphrases hash (LM/NTLM/NTLMv2/NT)...UNLESS specific settings are set (allowing automatic login to Windows). But it does. Other people have also verified Windows sometimes does this, even if specifically set not to save it.
I understand that LSA Secrets might / should store user X password in memory for the time the user X is signed in, so it can be used to authenticate the user to maybe third-party sites, network drives, etc. But when user X is logged out of the system, user Y cannot/should not see users X:s Windows XP password since it is NOT loaded into memory (from where it could be loaded into memory if user has not entered it yet because user X hasnt signed in on this session yet?!?). So, in this case, its seems that Windows IS storing the users passphrase in somewhere in plaintext, what it should not do. 

Now, let me clear few things up, ok:
- Im not talking about bruteforcing NL/NTLM/NTLMv2/NT hashes.
- Im not talking about using rainbowtables to fetch the password.
- Im not saving anything under any Outlook Express, MSN, saved passwords or anything in the whole XP Home computer (so that if I used same passphrase on them too, C&A could somehow recover that). - Yes, its true that inorder to do this, you must have SeDebug priveledge set to the user and admins can always reset any users passphrase (and anyone with physical access to the computer can always get admin permissions using 3rd party tools). - HOWEVER, if you can actually GET the users password (he is currently using) the way Im talking about now, you can do a lot of harm with that. You can, for example, decrypt all EFS encrypted files in normal situations (since users EFS privatekey is encrypted using users passphrase). You can, for example, try that same password in all kinds of places where that users is logging in (since chances are hes using the same password or variations of it elsewhere). - Yes, if/when villan can get admin permissions or physical access to the computer, the game is lost in sense, that it can be loaded with all kinds of hardware and software keyloggers and insecure settings, so that the next time users sign in to the computer, their passwords etc. can be recorded and abused by villan. However, notice the words "next time users sign in"! If someone steals the computer, that doesnt happen. If someone leaves hints that system is tampered, that doesnt happen. BUT, in this scenario I have told you, all you need is to GET the access to the computer and game is over, you dont have to wait users to sign in next time to the computer! This is very important issue when thinking about this bug & regular keylogging/insecuring the system. - Nobody, including admins, should NOT be able to see plaintext passwords and Windows should NOT store them in the computer unless specially ordered to do because of some "weird" configuration or usability thing.
Now, the funny thing is, that if I changed my password via Control Panel - User Accounts, the new password would always be recorded in the LSA Secrets and recovered by C&A. However, if I used "control userpasswords2" to SET my password, the new password would NOT be recorded to LSA Secrets and C&A could not recover it from there.
This similiar bug has been discussed earlier in here, but with no solution or idea about why its there: 
http://www.derkeiler.com/Newsgroups/microsoft.public.security/2005-05/0765.html

Ongoing discussion about the subject in:
http://www.dslreports.com/forum/remark,16012871



--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: