Bugtraq mailing list archives
Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 12 Jul 2013 11:35:11 +0200 (ora legale Europa occidentale)
Hi,I've often found this behaviour during security assessments for corporate Clients.
It should indeed be considered a vulnerability, especially in enterprise scenarios where for instance it can be leveraged by a regular notebook user to escalate privileges and be able to access all other corporate user's notebooks (including their bosses';).
Cheers, MI On Thu, 11 Jul 2013, Dnegel X. wrote:
1. I didn't find an explanation about this behavior that deals with installation password, although this LSA Secret is well known to contain passwords, mainly from Windows XP era. Could you provide a link? It also hasn't been fixed in Window 8 released this year. 2. You could e.g. retrieve a password from one vulnerable machine (where physical access or admin shell is possible) and use it against more secure ones sharing same admin password, typically when a Windows image is replicated over a network to multiple machines. Anyhow, having a cleartext password residue somewhere without documentation looks like a sad bug to me. Xavier On Thu, Jul 11, 2013 at 7:35 PM, Rob <synja () synfulvisions com> wrote:Two things: 1. This was made public sometime in 2012 or earlier IIRC. 2. Exploiting this requires the same permission levels that would be required to change or access the password anyway. Where's the realistic security threat? Rob
-- ------------------------------------------------------------------ Marco Ivaldi OPSA, OPST, OWSE, QSA, ASV Senior Security Advisor @ Mediaservice.net Srl Tel: +39-011-32.72.100 Via Santorelli, 15 Fax: +39-011-32.46.497 10095 Grugliasco (TO) - ITALY http://www.mediaservice.net/ ------------------------------------------------------------------ PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
Current thread:
- Windows 7/8 admin account installation password stored in the clear in LSA Secrets Dnegel X. (Jul 11)
- Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets Rob (Jul 11)
- Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets Dnegel X. (Jul 11)
- Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets Marco Ivaldi (Jul 12)
- Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets Dnegel X. (Jul 11)
- Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets Rob (Jul 11)