Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows XP Home LSA secrets storesXP loginpassphrase in plain text

From: "John Doe" <goan.rootu () gmail com>
Date: Sat, 6 May 2006 09:57:08 +0300
You obiously didnt bother to read these part of my message:

- "You can, for example, decrypt all EFS encrypted files"
- "You can, for example, try that same password in all kinds
of places where that users is logging in (since chances are hes using
the same password or variations of it elsewhere)."
You can NOT do these if you just get physical access to the computer
(without this bug), since EFS remains secure and your password unknown
to attacker.


Especially focus on the following I sayed:

- "..The next time users sign in to the computer, their passwords etc.
can be recorded and abused by villan. However, notice the words "next
time users sign in"! If someone steals the computer, that doesnt happen.
If someone leaves hints that system is tampered, that doesnt happen."

I did read it. And I'm not belittling the fact that storing cleartext
passwords
is bad. As what comes to EFS, once you get hold of the administrator
account, you can decrypt the EFS for _all_ users on the computer. It doesn't
matter how you acquired the password.
And for using the same password in "all kinds of places". How does this
differ
from just cracking someones password from a webportal and using that in
"all kinds of places".



If someone leaves hints that system is tampered, that doesnt happen.


And how will he verify the filesystem isn't tampered with? I don't think
most
people would immediatly wipe out the disk without logging in and trying to
see
if anything has happened. Or try to use a forensics cd's or the like. And if
they
would wipe it, they'd propably choose the same passwords again :)

But yes, I do agree with you that what you uncovered is an issue, since
passwords
shouldn't be stored as cleartext ever. I was just stating that requiring
local, physical
access to the computer makes it almost unusable. Sure, there are situations
where
it could be used ,I'm not denying that, but with the kind of stuff that's
moving on the
net at the moment, this issue isn't on my critical list.

Have you reported the details to M$?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: