[13559] in bugtraq
Re: Windows 2000 Run As... Feature
daemon@ATHENA.MIT.EDU (David LeBlanc)
Tue Jan 25 15:15:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.20000125084215.044ec630@mail.mindspring.com>
Date: Tue, 25 Jan 2000 08:42:15 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: "jdglaser@ntobjectives.com" <jdglaser@ntobjectives.com>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01BF6634.A7D8A970.jdglaser@ntobjectives.com>
At 06:31 AM 1/24/00 -0800, jdglaser wrote:
>That's a good point.
>I'd like to add that MS Secure Attention Sequence is not exactly so
>trusted.
>Nothing prevents another Gina from being put into play, nor prevents
>process code injection - DLL API hooking.
>One way to do this can be done by altering the reg key
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
>to implement a Pass-Through Gina (one which grabs your password and then
>calls through to the real Gina)
However, in order to change that registry key, you have to be an
administrator or server operator. Anyone in these groups are allowed to
modify the operating system in any way they like. It would be more
effective for them to simply install a keystroke logger, as that way you'd
get passwords typed in at other times, and not just logons.
The trust in the secure attention sequence, or any other part of the
operating system, is only as good as your trust in the administrator.
Given the credentials needed to write the Winlogon values, the number of
things I could do to someone is only limited by my imagination and how much
code I want to write. The mind boggles at the possibilities <g>.
David LeBlanc
dleblanc@mindspring.com
