Bugtraq mailing list archives
Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature
From: jjohanss () BU EDU (Jesper M. Johansson)
Date: Wed, 26 Jan 2000 13:07:50 -0500
Compare the following quotes "you can provide custom code that participates in the logon process AND that controls the user interface for Logging on" - Paula Tomlinson WDJ
That in and of itself is not new, and I don't read this as her saying that the key sequence is trappable. All she is saying is that you can write a custom GINA. Novell has been doing that for a long time to provide a single logon to an NT Workstation and a Novell Server. ZEN Works can even create the NT user account on the fly and delete it when the user logs off. So, this is not really earth-shattering.
"(In order to prevent password capture) "This key sequence cannot be duplicated by an application programs" NT Security Handbook by Hadfield
The key sequence itself does not protect against password capture by a trojan. It simply ensures that whatever is registered as the GINA is launched. The problem is that I can write a trojan that presents the logon dialog box without the key sequence. I can run that trojan under my own account. Joe DumbUser now shows up, sees the logon box and types in his username and password WITHOUT first doing the three-finger salute. My trojan writes his info to disk, puts up a dialog that says, password incorrect and asks him to press OK. He does that, and the trojan now logs him off and presents the real GINA. I have actually seen an entire lab with this kind of trojan on it. Now, can the three-finger salute key sequence be trapped? I'm not sure. However, if I can write my own GINA, which is not very hard, and replace the system one, it becomes a moot point.
there is no documentation which widely advises not surfing the web under the Administrator account (I know that NO one here does that anyway:) ) in order to prevent an overflow in your browser(an app running with
sufficient
privs) to do the damage.
If you are looking at specifically surfing the web, I don't know of one either. But the ones worth anything advice against running routinely as an Admin. Sutton does in the NSA guide, on page 22. The SANS Step-by-Step guide does too (step 0.1). I think I even saw something coming out of Redmond saying that, although I believe it was just an e-mail from Paul Leach. Jesper M. Johansson
Current thread:
- Windows 2000 Run As... Feature David Terrell (Jan 21)
- Re: Windows 2000 Run As... Feature Seth R Arnold (Jan 23)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- <Possible follow-ups>
- Re: Windows 2000 Run As... Feature jdglaser (Jan 24)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
- multicasts from hell Tim Yardley (Jan 25)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature jdglaser (Jan 25)