Full Disclosure mailing list archives
Re: Windows XP Home LSA secrets storesXP loginpassphrase in plain text
From: "John Doe" <goan.rootu () gmail com>
Date: Sat, 6 May 2006 09:57:08 +0300
You obiously didnt bother to read these part of my message:
- "You can, for example, decrypt all EFS encrypted files" - "You can, for example, try that same password in all kinds of places where that users is logging in (since chances are hes using the same password or variations of it elsewhere)." You can NOT do these if you just get physical access to the computer (without this bug), since EFS remains secure and your password unknown to attacker.
Especially focus on the following I sayed:
- "..The next time users sign in to the computer, their passwords etc. can be recorded and abused by villan. However, notice the words "next time users sign in"! If someone steals the computer, that doesnt happen. If someone leaves hints that system is tampered, that doesnt happen." I did read it. And I'm not belittling the fact that storing cleartext passwords is bad. As what comes to EFS, once you get hold of the administrator account, you can decrypt the EFS for _all_ users on the computer. It doesn't matter how you acquired the password. And for using the same password in "all kinds of places". How does this differ from just cracking someones password from a webportal and using that in "all kinds of places".
If someone leaves hints that system is tampered, that doesnt happen.
And how will he verify the filesystem isn't tampered with? I don't think most people would immediatly wipe out the disk without logging in and trying to see if anything has happened. Or try to use a forensics cd's or the like. And if they would wipe it, they'd propably choose the same passwords again :) But yes, I do agree with you that what you uncovered is an issue, since passwords shouldn't be stored as cleartext ever. I was just stating that requiring local, physical access to the computer makes it almost unusable. Sure, there are situations where it could be used ,I'm not denying that, but with the kind of stuff that's moving on the net at the moment, this issue isn't on my critical list. Have you reported the details to M$?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Windows XP Home LSA secrets storesXP loginpassphrase in plain text John Doe (May 06)