---------- Forwarded message ---------- Date: Thu, 19 Mar 1998 14:09:44 -0800 From: martin Dolphin <mdolphinat_private> To: NTBUGTRAQat_private Subject: RAS 'save password' problems... THE PROBLEM: Windows NT allows users to save their RAS credentials by using the 'Save Password' checkbox when making a dial-up connection. Credentials saved in this manner are stored in the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0 registry key. These credentials can be enumerated using the LSA secrets code. (As identified by Paul Ashton in a prior submission to NTBugtraq) If a user does not check the 'save password' checkbox to prevent the password from being stored, RAS will STILL save the successful connection information, including the password, in the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasDialParams!SID#0 registry key. This can be enumerated using the LSA secrets code. NOTE: Administrator privileges are needed to execute the LSA secrets code. OUR REASONING FOR THIS BEHAVIOR: We think that this behavior exists so that Windows NT can automatically re-establish a dial-up session that has been unexpectedly terminated. In order to "re-dial", Windows NT needs to maintain the RAS credentials for automatic re-authentication. We believe that Windows NT uses the RasDialParams key to maintain the RAS credentials for just this purpose (instead of maintaining them in temporary protected memory). Unfortunately, the credentials are not cleared from this key after the session is properly terminated. IMPACT: The following scenarios are some potential areas where we think this behavior could give access to username and password information that couldn't be gained from the NT SAM. 1) A user may have a dial-up ISP account with an account name and password that is separate from their local\domain NT account. 2) Users may have RAS/PPTP access to domains other than the domain that the user is a member of, also not stored in the SAM. (Vendor connections, non-trusted domains, etc) 3) If an Administrator attempting to troubleshoot or set-up a users workstation needs to dial in from the workstation and doesn't click the 'save password' box, then he/she should be able to assume that his password will not be saved on that users workstation. 4) Windows NT 'public access' machines, such as the machines available at training classes, airports, etc.. WORKAROUND: There does not appear to be any method to prevent this behavior from occuring. REPRODUCTION: Reproduced on three Windows NT 4.0 workstations, and one Windows NT 4.0 Server. Log on as a user, identify the SID of the user using getsid or any other means. Use the LSA secrets code to dump the RasDialParams and RasCredentials for the user. Create a new dial up networking connection. DONOT save the password. After successfully connecting to the remote end, re-dump the RasDialParams and RasCredentails entries. The new successful connection password will be saved in the RasDialParams value even though you didn't check the 'save password' box. Microsoft was notified of this one week ago. Lisa O'Connor Martin Dolphin Joe Greene Eric Schultze
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:29 PDT