Re: SAS behavior in Windows NT - RE: Windows 2000 Run As...

From: Jesper M. Johansson (jjohanssat_private)
Date: Wed Jan 26 2000 - 10:07:50 PST

Next message: Vanja Hrustic: "Stream.c needs more clarification"

Previous message: Steve Wolfe: "Re: Windows 2000 Run As... Feature"
Next in thread: jdglaser: "Re: SAS behavior in Windows NT - RE: Windows 2000 Run As..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Compare the following quotes
>"you can provide custom code that participates in the logon process AND
>that controls the user interface for Logging on" - Paula Tomlinson WDJ

That in and of itself is not new, and I don't read this as her saying
that the key sequence is trappable. All she is saying is that you can
write a custom GINA. Novell has been doing that for a long time to
provide a single logon to an NT Workstation and a Novell Server. ZEN
Works can even create the NT user account on the fly and delete it when
the user logs off. So, this is not really earth-shattering.

>"(In order to prevent password capture) "This key sequence cannot be
>duplicated by an application programs" NT Security Handbook by Hadfield

The key sequence itself does not protect against password capture by a
trojan. It simply ensures that whatever is registered as the GINA is
launched.

The problem is that I can write a trojan that presents the logon dialog
box without the key sequence. I can run that trojan under my own
account. Joe DumbUser now shows up, sees the logon box and types in his
username and password WITHOUT first doing the three-finger salute. My
trojan writes his info to disk, puts up a dialog that says, password
incorrect and asks him to press OK. He does that, and the trojan now
logs him off and presents the real GINA. I have actually seen an entire
lab with this kind of trojan on it.

Now, can the three-finger salute key sequence be trapped? I'm not sure.
However, if I can write my own GINA, which is not very hard, and replace
the system one, it becomes a moot point.

> there is no
>documentation which widely advises not surfing the web under the
>Administrator account (I know that NO one here does that anyway:) ) in
>order to prevent an overflow in your browser(an app running with
sufficient
>privs) to do the damage.

If you are looking at specifically surfing the web, I don't know of one
either. But the ones worth anything advice against running routinely as
an Admin. Sutton does in the NSA guide, on page 22. The SANS
Step-by-Step guide does too (step 0.1). I think I even saw something
coming out of Redmond saying that, although I believe it was just an
e-mail from Paul Leach.

Jesper M. Johansson

Next message: Vanja Hrustic: "Stream.c needs more clarification"
Previous message: Steve Wolfe: "Re: Windows 2000 Run As... Feature"
Next in thread: jdglaser: "Re: SAS behavior in Windows NT - RE: Windows 2000 Run As..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:43 PDT