[13577] in bugtraq
Re: SAS behavior in Windows NT - RE: Windows 2000 Run As...
daemon@ATHENA.MIT.EDU (Jesper M. Johansson)
Thu Jan 27 00:17:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000701bf6828$42ec5bb0$026fa8c0@bu.edu>
Date: Wed, 26 Jan 2000 13:07:50 -0500
Reply-To: jjohanss@bu.edu
From: "Jesper M. Johansson" <jjohanss@BU.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01BF67CC.ECE9D540.jdglaser@ntobjectives.com>
>Compare the following quotes
>"you can provide custom code that participates in the logon process AND
>that controls the user interface for Logging on" - Paula Tomlinson WDJ
That in and of itself is not new, and I don't read this as her saying
that the key sequence is trappable. All she is saying is that you can
write a custom GINA. Novell has been doing that for a long time to
provide a single logon to an NT Workstation and a Novell Server. ZEN
Works can even create the NT user account on the fly and delete it when
the user logs off. So, this is not really earth-shattering.
>"(In order to prevent password capture) "This key sequence cannot be
>duplicated by an application programs" NT Security Handbook by Hadfield
The key sequence itself does not protect against password capture by a
trojan. It simply ensures that whatever is registered as the GINA is
launched.
The problem is that I can write a trojan that presents the logon dialog
box without the key sequence. I can run that trojan under my own
account. Joe DumbUser now shows up, sees the logon box and types in his
username and password WITHOUT first doing the three-finger salute. My
trojan writes his info to disk, puts up a dialog that says, password
incorrect and asks him to press OK. He does that, and the trojan now
logs him off and presents the real GINA. I have actually seen an entire
lab with this kind of trojan on it.
Now, can the three-finger salute key sequence be trapped? I'm not sure.
However, if I can write my own GINA, which is not very hard, and replace
the system one, it becomes a moot point.
> there is no
>documentation which widely advises not surfing the web under the
>Administrator account (I know that NO one here does that anyway:) ) in
>order to prevent an overflow in your browser(an app running with
sufficient
>privs) to do the damage.
If you are looking at specifically surfing the web, I don't know of one
either. But the ones worth anything advice against running routinely as
an Admin. Sutton does in the NSA guide, on page 22. The SANS
Step-by-Step guide does too (step 0.1). I think I even saw something
coming out of Redmond saying that, although I believe it was just an
e-mail from Paul Leach.
Jesper M. Johansson
