[28181] in bugtraq
Password Hole Found In Webshots
daemon@ATHENA.MIT.EDU (Brian Carpenter)
Thu Dec 12 18:33:26 2002
From: Brian Carpenter <brian.carpenter@wosc.edu>
Reply-To: Travis.Wilkinson@wosc.edu
To: bugtraq@securityfocus.com
Content-Type: text/plain
Message-Id: <1039718001.13557.12.camel@localhost.localdomain>
Mime-Version: 1.0
Date: 12 Dec 2002 12:33:21 -0600
Content-Transfer-Encoding: 7bit
I have descovered a hole in the webshots screensave program. On either
a Win2K or xp machine that has it installed you can bypass the password
on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
box that contains logout lockcomputer shutdown ect: Then you will hit
cancel and boom you are at the desktop with all the permisions the
previous user had. If you have windows password locking the screen saver
you are able to Ctrl+Alt+Del and then go to taskmanger and end the
screen saver thus bringing you back to the desktop.
This works with both webshots password set up and the windows password
setup on the computer. As long as webshots is used the hole is there.
