“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> >
> This is right for local computer. Think about network. You can be local
> administrator with no or restricted access to network resources. If
somebody
> with more network privileges logs to your computer locally (luser asks
admin
> to fix a problem) and you’re able to capture his plaintext password, you
can
> log to network later as he. You can also log-on to local computers where
you
> had no access before and made an evil work as he there.
>
(I realize we’re wandering off topic here, sorry)
You’re an admin on the local system. You load a driver. You log off.
Somebody with big-shot high-level network creds logs into the system, and
does something. Your driver contrives to run in the context of his process.
The driver capture his security context, and stores it. Later, that driver
can restore and impersonate that security context at will.
I’m not saying it’s a trivial exploit, or that this is a good idea. But,
seriously, unless I misunderstand some intricate detail of how security
contexts work: Once you ARE the operating system… well, you’re the
operating system. It’s really rather pointless trying to protect the
operating system from itself. You’re part of the Trusted Computing Base by
definiton…
Peter
OSR
The issue is that using this approach, you can compromise OTHER systems to
which you have no access otherwise. By capturing a higher-level access
credentials, you have escaped the bounds of your playpen.
At the very least, this completely violates C-2 Security in a number of
areas, not the least of which is traceability. Or does MS even give a shit
about C-2 security any more??
Greg
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Peter Viscarola
Sent: Friday, April 19, 2002 11:23 AM
To: NT Developers Interest List
Subject: [ntdev] Re: I want to retrieve Username ,Password ,Domain tex t
from GINA system.
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> >
> This is right for local computer. Think about network. You can be local
> administrator with no or restricted access to network resources. If
somebody
> with more network privileges logs to your computer locally (luser asks
admin
> to fix a problem) and you’re able to capture his plaintext password, you
can
> log to network later as he. You can also log-on to local computers where
you
> had no access before and made an evil work as he there.
>
(I realize we’re wandering off topic here, sorry)
You’re an admin on the local system. You load a driver. You log off.
Somebody with big-shot high-level network creds logs into the system, and
does something. Your driver contrives to run in the context of his process.
The driver capture his security context, and stores it. Later, that driver
can restore and impersonate that security context at will.
I’m not saying it’s a trivial exploit, or that this is a good idea. But,
seriously, unless I misunderstand some intricate detail of how security
contexts work: Once you ARE the operating system… well, you’re the
operating system. It’s really rather pointless trying to protect the
operating system from itself. You’re part of the Trusted Computing Base by
definiton…
Peter
OSR
—
You are currently subscribed to ntdev as: xxxxx@pdq.net
To unsubscribe send a blank email to %%email.unsub%%
> The issue is that using this approach, you can compromise OTHER systems to
which you have no access otherwise. By capturing a higher-level access
credentials, you have escaped the bounds of your playpen.At the very least, this completely violates C-2 Security in a number of
areas, not the least of which is traceability. Or does MS even give a shit
about C-2 security any more??
You cannot prohibit GINA filters installed from administrators. They can load SoftICE (wow! SI is not necessary, MSVC IDE is enough
for this) and trace the LSASRV/MSV1_0 code to find a place where to apply the hook, then inject a hook DLL to LSASS (using
CreateRemoteThread), which will write all passwords to a text file.
Yes, a secretary girl on a corporate desktop can find the pre-written module for this on some website, load it, and then ask her
sysadmin for help due to “my computer does not work properly”. Sysadmin will log on, leaving his password in cleartext on the girl’s
disk. The only way to guard from this is administrative, not technical - the sysadmin must never type his powerful password on any
desktops except his own.
This can be guarded from only by obscurity, and “security by obscurity” is junk in modern world.
BTW - too bad the authorities do not pay attention to this, rolling DMCAs instead. Spreading the information on how to break a copy
protection results in jail, while spreading the information on how to break one another’s webserver or how to write a virus does
not.
Max