Vulnerability Development mailing list archives
[Fwd: FW: XP Screen Saver password uses Old password until logout or New one is used.]
From: Andy Wood <snortin_yer_packets () cox net>
Date: 30 Apr 2002 21:41:00 -0400
Passwords aren't cached, it is the Access Tokens that are cached. If you change permissions on a folder, from RO to RW for example, the folder will not be RW until the user logs off then on. This is important to remember when reducing the privs: If the user is logged on when a permission change is made they will retain their old rights until logging off....i.e. They could still delete data after you set the privs from RW to RO. Don't be confused though, this is only a MS feature. It is listed to "improve performance". I, however, am confused as UNIX so far out performs MS yet is not plagued with the whole needing to logoff thing. I guess we should just be thankful.......at least windows doesn't require a reboot.
-----Original Message----- From: Muhammad Faisal Rauf Danka [mailto:mfrd () attitudex com] Sent: Tuesday, April 30, 2002 4:18 PM To: Ghazi H. Al Wadi [NGHA-CTC]; vuln-dev () securityfocus com Cc: adnan () gem net pk; qazia () gem net pk; root () hack net pk Subject: Re: XP Screen Saver password uses Old password until logout or New one is used. Is'nt that the case with all win* since long time? Well the password is cached, that's why it verifies from cache, where it should verify it from the actual password location. Lack of routine addition in all screensavers I guess. Remember flushing cached Passwords in win* , HEH! =) P.S. It's not a feature, untill its discovered by Microsoft. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk voice: 92-021-4548323, 92-021-4546077 "Great is the Art of beginning, but Greater is the Art of ending. " ------BEGIN GEEK CODE BLOCK---- Version: 3.1 GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ ------END GEEK CODE BLOCK------ --- "Ghazi H. Al Wadi [NGHA-CTC]" <wadig () ngha med sa> wrote:Hi, Today I have as usual, changed my PC logon password (XP Home Edition). When the screen saver started, I dismissed it and by force of habit, I typed the old password. To my surprise I was able to unlock the screen saver using the old password. I was able to do that several times, However, once I logout or use the new password I am unable to use the old password and have to use the new one. The question is , Is this a feature. and from a security point of view wouldn't that be a vulnerability. If not is it documented any where. And last, was this issue addressed before. Kindest regards Ghazi Al Wadi_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Run a small business? Then you need professional email like you () yourbiz com from Everyone.net http://www.everyone.net?tag --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
Current thread:
- [Fwd: FW: XP Screen Saver password uses Old password until logout or New one is used.] Andy Wood (Apr 30)