[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Windows XP Home LSA secrets stores XP login passphrase in plain text
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Windows XP Home LSA secrets stores XP login passphrase in plain text
- From: Markus Jansson <seemyhomepage@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 05 May 2006 18:25:25 +0300
This again proves the reason to do some hacking of your own system,
things like these would otherwise go unnoticed...
OK, I setup Windows XP Home, did the regular securing up (the much you
can do with Home edition), like for example setting that users must use
passwords and usernames to sign in, use control+alt+delete to sign in,
disabled automatic login to Windows etc. etc. Rebooted, changed my
account X passphrase, then rebooted again. Then I signed in to other
admin level account (account Y) and ran Cain & Abel and used it to dump
LSA secrets...wellwellwell...Windows stores my account X Windows XP
login passphrase in plaintext in DefaultPassword field!
My Windows XP should NOT store any Windows passphrases in clear text on
the hdd, but only stores the passphrases hash
(LM/NTLM/NTLMv2/NT)...UNLESS specific settings are set (allowing
automatic login to Windows). But it does. Other people have also
verified Windows sometimes does this, even if specifically set not to
save it.
I understand that LSA Secrets might / should store user X password in
memory for the time the user X is signed in, so it can be used to
authenticate the user to maybe third-party sites, network drives, etc.
But when user X is logged out of the system, user Y cannot/should not
see users X:s Windows XP password since it is NOT loaded into memory
(from where it could be loaded into memory if user has not entered it
yet because user X hasnt signed in on this session yet?!?). So, in this
case, its seems that Windows IS storing the users passphrase in
somewhere in plaintext, what it should not do.
Now, let me clear few things up, ok:
- Im not talking about bruteforcing NL/NTLM/NTLMv2/NT hashes.
- Im not talking about using rainbowtables to fetch the password.
- Im not saving anything under any Outlook Express, MSN, saved passwords
or anything in the whole XP Home computer (so that if I used same
passphrase on them too, C&A could somehow recover that).
- Yes, its true that inorder to do this, you must have SeDebug
priveledge set to the user and admins can always reset any users
passphrase (and anyone with physical access to the computer can always
get admin permissions using 3rd party tools).
- HOWEVER, if you can actually GET the users password (he is currently
using) the way Im talking about now, you can do a lot of harm with that.
You can, for example, decrypt all EFS encrypted files in normal
situations (since users EFS privatekey is encrypted using users
passphrase). You can, for example, try that same password in all kinds
of places where that users is logging in (since chances are hes using
the same password or variations of it elsewhere).
- Yes, if/when villan can get admin permissions or physical access to
the computer, the game is lost in sense, that it can be loaded with all
kinds of hardware and software keyloggers and insecure settings, so that
the next time users sign in to the computer, their passwords etc. can be
recorded and abused by villan. However, notice the words "next time
users sign in"! If someone steals the computer, that doesnt happen. If
someone leaves hints that system is tampered, that doesnt happen. BUT,
in this scenario I have told you, all you need is to GET the access to
the computer and game is over, you dont have to wait users to sign in
next time to the computer! This is very important issue when thinking
about this bug & regular keylogging/insecuring the system.
- Nobody, including admins, should NOT be able to see plaintext
passwords and Windows should NOT store them in the computer unless
specially ordered to do because of some "weird" configuration or
usability thing.
Now, the funny thing is, that if I changed my password via Control Panel
- User Accounts, the new password would always be recorded in the LSA
Secrets and recovered by C&A. However, if I used "control
userpasswords2" to SET my password, the new password would NOT be
recorded to LSA Secrets and C&A could not recover it from there.
This similiar bug has been discussed earlier in here, but with no
solution or idea about why its there:
http://www.derkeiler.com/Newsgroups/microsoft.public.security/2005-05/0765.html
Ongoing discussion about the subject in:
http://www.dslreports.com/forum/remark,16012871
--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/