fellow 'noids, background: since all of the major security flaws in windows nt 4.0 have been discovered (who am i kidding? ;-), i'd like to point out a minor one... by way of a question: "should a secured workstation's 'unlock workstation' dialog be permitted to interact with the desktop?" apparently the windows nt logon dialog, including the "unlock workstation" dialog, contains two ole container/object fields --> the username field and the password field. both fields will respond to the standard CTRL+X, CTRL+C, CTRL+V shortcut keys... at the console and via remote control (i tested sms with key-pass-thru on, but i'm assuming timbuk and others work as well). anyone can lock NT4sp4 computer and otherwise believe it to be reasonably secure and some users even set their screensavers to password protected (wow!), with the assumption that it is completely secure, however at least part of nearly ANY clipboard contents are potentially available to someone with physical access to the box... i'm not sure why the logon dialog would need to be an ole server/recipient/whatever-programmers-call-it-these-days and interact with the desktop... but i'll go so far as to say IT SHOULDN'T! i haven't tried to flood it's buffer, yet, however it's held as much as this entire message (sans CRLFs) without flinching. i wonder what happens if a meg or two of data, nah... see "worst case" below. while not a huge security hole (physical security is almost everything!), it is "worrisome". my initial testing shows that most types of ole objects (obviously) aren't available, so the nudie pics the boss was cut-n-pasting won't show up this way, but text or objects immediately convertible to text are (rtf, html, etc), such as sensitive passwords, review details, salary data, etc --> up to the first carriage return. 'sploit: 1. at any locked nt4 console (or via remote control) give the three fingered salute 2. either shift+tab to highlight the username or use the mouse 3. ctrl+v to paste the contents of the clipboard over the username this makes the contents of the clipboard visible, up to the first CRLF. worst case: you have your password, or the administrator's, on the clipboard for some stupid reason and a wily cracker pastes it into the password field and gains access to your desktop... (i tried this, it actually works.) keep your clipboards clean... # David Reed (dreedat_private) # 713.787.1651 (officex) # 800.705.3861 (a-pager) -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT$/GG/GSS d?(++) s-:+ a?(--) C++++$ W+++$ w++++$ UL+>+++$ P>++$ L+>+++$ E--- N+(++) O? !M !V PS---(----) PE+++ Y++ PGP++ t---(+) 5++(+++) X++++ R+++ tv-- b++++ DI++++ D(+) G e+++ h---(*) r+++ y++++ K? o? ------END GEEK CODE BLOCK------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:05 PDT