`Date: Fri, 29 Jan 1999 10:21:51 -0600
From: "Reed, David" <[email protected]>
To: [email protected]
Subject: ole objects in a "secured" environment?
fellow 'noids,
background:
since all of the major security flaws in windows nt 4.0 have been discovered
(who am i kidding? ;-), i'd like to point out a minor one... by way of a
question: "should a secured workstation's 'unlock workstation' dialog be
permitted to interact with the desktop?"
apparently the windows nt logon dialog, including the "unlock workstation"
dialog, contains two ole container/object fields --> the username field and
the password field. both fields will respond to the standard CTRL+X,
CTRL+C, CTRL+V shortcut keys... at the console and via remote control (i
tested sms with key-pass-thru on, but i'm assuming timbuk and others work as
well).
anyone can lock NT4sp4 computer and otherwise believe it to be reasonably
secure and some users even set their screensavers to password protected
(wow!), with the assumption that it is completely secure, however at least
part of nearly ANY clipboard contents are potentially available to someone
with physical access to the box...
i'm not sure why the logon dialog would need to be an ole
server/recipient/whatever-programmers-call-it-these-days and interact with
the desktop... but i'll go so far as to say IT SHOULDN'T! i haven't tried
to flood it's buffer, yet, however it's held as much as this entire message
(sans CRLFs) without flinching. i wonder what happens if a meg or two of
data, nah... see "worst case" below.
while not a huge security hole (physical security is almost everything!), it
is "worrisome". my initial testing shows that most types of ole objects
(obviously) aren't available, so the nudie pics the boss was cut-n-pasting
won't show up this way, but text or objects immediately convertible to text
are (rtf, html, etc), such as sensitive passwords, review details, salary
data, etc --> up to the first carriage return.
'sploit:
1. at any locked nt4 console (or via remote control) give the three fingered
salute
2. either shift+tab to highlight the username or use the mouse
3. ctrl+v to paste the contents of the clipboard over the username
this makes the contents of the clipboard visible, up to the first CRLF.
worst case:
you have your password, or the administrator's, on the clipboard for some
stupid reason and a wily cracker pastes it into the password field and gains
access to your desktop... (i tried this, it actually works.)
keep your clipboards clean...
# David Reed ([email protected])
# 713.787.1651 (officex)
# 800.705.3861 (a-pager)
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT$/GG/GSS d?(++) s-:+ a?(--) C++++$ W+++$ w++++$ UL+>+++$ P>++$ L+>+++$
E--- N+(++) O? !M !V PS---(----) PE+++ Y++ PGP++ t---(+) 5++(+++) X++++ R+++
tv-- b++++ DI++++ D(+) G e+++ h---(*) r+++ y++++ K? o?
------END GEEK CODE BLOCK------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation