Vulnerability Development mailing list archives
Re: XP Screen Saver password uses Old password until logout or New one is used.
From: hellNbak <hellnbak () nmrc org>
Date: Tue, 30 Apr 2002 15:22:11 -0400 (EDT)
Of course this isn't a feature. I would be interested if anyone else could replicate it as well. I just tested it on Windows XP Pro latest patches and COULD NOT replicate it. I would assume though, that this would have something to do with the caching of the logon credentials. The machines I tested this on are not authenticating to a domain or AD so no caching should take place (I think). As far as being a vulnerability the scenario John described would not be exploitable as the old password probably is not being cached. In reality to exploit this, you have to already know the users previous password and have a desire to log on to his workstation and hope that the old password is being cached. On Tue, 30 Apr 2002, John Thornton wrote:
Date: Tue, 30 Apr 2002 13:07:14 -0700
From: John Thornton <news () hackersdigest com>
To: "Ghazi H. Al Wadi [NGHA-CTC]" <wadig () ngha med sa>,
vuln-dev () securityfocus com
Subject: Re: XP Screen Saver password uses Old password until logout or
New one is used.
There is no way this can be a feature. Take the following example. A
computer retail store such as Staples use password protected screen savers
to secure all of their computers. If they fired a disgruntle employee and
change all of the passwords he can still come back (Or have someone come
back for him) and do what ever he likes. Most retail stores do not shut the
display computers off at night because it just add more to the list of
things to do so, therefore the old password will always work.
Not having access to a XP box I am curious to know if you change the
password three times would the two old passwords work?
-John Thornton
Editor in Chief
Hacker's Digest Magazine
http://www.hackersdigest.com
----- Original Message -----
From: Ghazi H. Al Wadi [NGHA-CTC]
To: vuln-dev () securityfocus com
Sent: Monday, April 29, 2002 11:32 PM
Subject: XP Screen Saver password uses Old password until logout or New one
is used.
Hi,
Today I have as usual, changed my PC logon password (XP Home Edition). When
the screen saver started, I dismissed it and by force of habit, I typed the
old password. To my surprise I was able to unlock the screen saver using the
old password.
I was able to do that several times, However, once I logout or use the new
password I am unable to use the old password and have to use the new one.
The question is , Is this a feature. and from a security point of view
wouldn't that be a vulnerability. If not is it documented any where. And
last, was this issue addressed before.
Kindest regards
Ghazi Al Wadi
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- XP Screen Saver password uses Old password until logout or New one is used. Ghazi H. Al Wadi [NGHA-CTC] (Apr 30)
- Re: XP Screen Saver password uses Old password until logout or New one is used. John Thornton (Apr 30)
- Re: XP Screen Saver password uses Old password until logout or New one is used. Meritt James (Apr 30)
- Re: XP Screen Saver password uses Old password until logout or New one is used. hellNbak (Apr 30)
- Re: XP Screen Saver password uses Old password until logout or New one is used. John Thornton (Apr 30)