Lucene search
K

nt4-ole-clipboard-password.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 27 Views

Security flaw in Windows NT 4.0 allows clipboard interaction in unlock dialog, risking data exposure.

Code
`Date: Fri, 29 Jan 1999 10:21:51 -0600  
From: "Reed, David" <[email protected]>  
To: [email protected]  
Subject: ole objects in a "secured" environment?  
  
  
fellow 'noids,  
  
background:  
  
since all of the major security flaws in windows nt 4.0 have been discovered  
(who am i kidding? ;-), i'd like to point out a minor one... by way of a  
question: "should a secured workstation's 'unlock workstation' dialog be  
permitted to interact with the desktop?"  
  
apparently the windows nt logon dialog, including the "unlock workstation"  
dialog, contains two ole container/object fields --> the username field and  
the password field. both fields will respond to the standard CTRL+X,  
CTRL+C, CTRL+V shortcut keys... at the console and via remote control (i  
tested sms with key-pass-thru on, but i'm assuming timbuk and others work as  
well).  
  
anyone can lock NT4sp4 computer and otherwise believe it to be reasonably  
secure and some users even set their screensavers to password protected  
(wow!), with the assumption that it is completely secure, however at least  
part of nearly ANY clipboard contents are potentially available to someone  
with physical access to the box...  
  
i'm not sure why the logon dialog would need to be an ole  
server/recipient/whatever-programmers-call-it-these-days and interact with  
the desktop... but i'll go so far as to say IT SHOULDN'T! i haven't tried  
to flood it's buffer, yet, however it's held as much as this entire message  
(sans CRLFs) without flinching. i wonder what happens if a meg or two of  
data, nah... see "worst case" below.  
  
while not a huge security hole (physical security is almost everything!), it  
is "worrisome". my initial testing shows that most types of ole objects  
(obviously) aren't available, so the nudie pics the boss was cut-n-pasting  
won't show up this way, but text or objects immediately convertible to text  
are (rtf, html, etc), such as sensitive passwords, review details, salary  
data, etc --> up to the first carriage return.  
  
  
'sploit:  
  
1. at any locked nt4 console (or via remote control) give the three fingered  
salute  
2. either shift+tab to highlight the username or use the mouse  
3. ctrl+v to paste the contents of the clipboard over the username  
  
this makes the contents of the clipboard visible, up to the first CRLF.  
  
  
worst case:  
  
you have your password, or the administrator's, on the clipboard for some  
stupid reason and a wily cracker pastes it into the password field and gains  
access to your desktop... (i tried this, it actually works.)  
  
  
keep your clipboards clean...  
  
# David Reed ([email protected])  
# 713.787.1651 (officex)  
# 800.705.3861 (a-pager)  
  
-----BEGIN GEEK CODE BLOCK-----  
Version: 3.1  
  
GIT$/GG/GSS d?(++) s-:+ a?(--) C++++$ W+++$ w++++$ UL+>+++$ P>++$ L+>+++$  
E--- N+(++) O? !M !V PS---(----) PE+++ Y++ PGP++ t---(+) 5++(+++) X++++ R+++  
tv-- b++++ DI++++ D(+) G e+++ h---(*) r+++ y++++ K? o?  
  
------END GEEK CODE BLOCK------  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation