lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 12 Jul 2013 11:35:11 +0200 (ora legale Europa occidentale)
From: Marco Ivaldi <raptor@...iaservice.net>
To: "Dnegel X." <dnegel666@...il.com>
cc: bugtraq@...urityfocus.com
Subject: Re: Windows 7/8 admin account installation password stored in the
 clear in LSA Secrets

Hi,

I've often found this behaviour during security assessments for corporate 
Clients.

It should indeed be considered a vulnerability, especially in enterprise 
scenarios where for instance it can be leveraged by a regular notebook 
user to escalate privileges and be able to access all other corporate 
user's notebooks (including their bosses';).

Cheers,

MI

On Thu, 11 Jul 2013, Dnegel X. wrote:

> 1. I didn't find an explanation about this behavior that deals with
> installation password, although this LSA Secret is well known to
> contain passwords, mainly from Windows XP era. Could you provide a
> link?
> It also hasn't been fixed in Window 8 released this year.
> 2. You could e.g. retrieve a password from one vulnerable machine
> (where physical access or admin shell is possible) and use it against
> more secure ones sharing same admin password, typically when a Windows
> image is replicated over a network to multiple machines.
>
> Anyhow, having a cleartext password residue somewhere without
> documentation looks like a sad bug to me.
>
> Xavier
>
>
> On Thu, Jul 11, 2013 at 7:35 PM, Rob <synja@...fulvisions.com> wrote:
>> Two things:
>> 1. This was made public sometime in 2012 or earlier IIRC.
>> 2. Exploiting this requires the same permission levels that would be
>> required to change or access the password anyway. Where's the realistic
>> security threat?
>>
>> Rob

-- 
------------------------------------------------------------------
Marco Ivaldi                          OPSA, OPST, OWSE, QSA, ASV
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via Santorelli, 15                    Fax: +39-011-32.46.497
10095 Grugliasco (TO) - ITALY         http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ