nt4-ole-clipboard-password.txt

1999-08-17T00:00:00
ID PACKETSTORM:17904
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Fri, 29 Jan 1999 10:21:51 -0600  
From: "Reed, David" <DReed@AWD.COM>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: ole objects in a "secured" environment?  
  
  
fellow 'noids,  
  
background:  
  
since all of the major security flaws in windows nt 4.0 have been discovered  
(who am i kidding? ;-), i'd like to point out a minor one... by way of a  
question: "should a secured workstation's 'unlock workstation' dialog be  
permitted to interact with the desktop?"  
  
apparently the windows nt logon dialog, including the "unlock workstation"  
dialog, contains two ole container/object fields --> the username field and  
the password field. both fields will respond to the standard CTRL+X,  
CTRL+C, CTRL+V shortcut keys... at the console and via remote control (i  
tested sms with key-pass-thru on, but i'm assuming timbuk and others work as  
well).  
  
anyone can lock NT4sp4 computer and otherwise believe it to be reasonably  
secure and some users even set their screensavers to password protected  
(wow!), with the assumption that it is completely secure, however at least  
part of nearly ANY clipboard contents are potentially available to someone  
with physical access to the box...  
  
i'm not sure why the logon dialog would need to be an ole  
server/recipient/whatever-programmers-call-it-these-days and interact with  
the desktop... but i'll go so far as to say IT SHOULDN'T! i haven't tried  
to flood it's buffer, yet, however it's held as much as this entire message  
(sans CRLFs) without flinching. i wonder what happens if a meg or two of  
data, nah... see "worst case" below.  
  
while not a huge security hole (physical security is almost everything!), it  
is "worrisome". my initial testing shows that most types of ole objects  
(obviously) aren't available, so the nudie pics the boss was cut-n-pasting  
won't show up this way, but text or objects immediately convertible to text  
are (rtf, html, etc), such as sensitive passwords, review details, salary  
data, etc --> up to the first carriage return.  
  
  
'sploit:  
  
1. at any locked nt4 console (or via remote control) give the three fingered  
salute  
2. either shift+tab to highlight the username or use the mouse  
3. ctrl+v to paste the contents of the clipboard over the username  
  
this makes the contents of the clipboard visible, up to the first CRLF.  
  
  
worst case:  
  
you have your password, or the administrator's, on the clipboard for some  
stupid reason and a wily cracker pastes it into the password field and gains  
access to your desktop... (i tried this, it actually works.)  
  
  
keep your clipboards clean...  
  
# David Reed (dreed@awd.com)  
# 713.787.1651 (officex)  
# 800.705.3861 (a-pager)  
  
-----BEGIN GEEK CODE BLOCK-----  
Version: 3.1  
  
GIT$/GG/GSS d?(++) s-:+ a?(--) C++++$ W+++$ w++++$ UL+>+++$ P>++$ L+>+++$  
E--- N+(++) O? !M !V PS---(----) PE+++ Y++ PGP++ t---(+) 5++(+++) X++++ R+++  
tv-- b++++ DI++++ D(+) G e+++ h---(*) r+++ y++++ K? o?  
  
------END GEEK CODE BLOCK------  
  
`