lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001501c884cb$d5d4cde0$817e69a0$@us>
Date: Wed, 12 Mar 2008 22:33:52 -0700
From: "Eric Rachner" <eric@...hner.us>
To: "'FD'" <fd@....ac>,
	"'Larry Seltzer'" <Larry@...ryseltzer.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Firewire Attack on Windows Vista

Re. where you said,

"yes, if the system is off and you can turn it on (e.g. no bios or hdd
encryption passwords) you can bypass the logon screen. this is because
the tool searches for the function "MsvpPasswordValidate" in memory and
patches it to allow any password."

That's correct, but not entirely.  Yes, you can patch Winlogon to allow any
password, but that does not necessarily mean you can access the user's data.

#1, you will not be able to access any resources which are encrypted using
Windows protected storage.  This includes all EFS-protected files, as well
as stored passwords for IE, Outlook, etc.  All of these secrets are
protected using keys which are derived from the user's credentials.
Obviously if the system is unable to reconstruct these keys, then the
protected data will be out of reach.  (This would be true regardless of
whether or not the logged-on account belongs to a domain.)

#2, you will not be able to access network resources as the user.  Again,
this is because when the machine authenticates to remote resources, it does
so by providing a proof which is calculated from the user's credentials.
And again, without access to the user's credentials, the system won't be
able to perform network authentication on the user's behalf.

In a real-world scenario, as the attacker, I would prefer to install a
Trojan in order to capture the user's credentials the next time they log on.

- Eric 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of FD
Sent: Monday, March 10, 2008 11:50 AM
To: Larry Seltzer
Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista

> How much should the average user worry about this? Not very much. Most
> notebooks from average users don't even have Firewire on them and you
> would have an easier time cracking them with a dictionary attack on
> the password and other such things, which means that this attack
> makes you no more vulnerable to compromise if you've already granted
> physical access than you were before.

you don't need a firewire port on your laptop, a pcmcia slot is enough
where an attacker inserts a firewire card. but still.. it's a physical
access attack..

regarding your other email:

> OK, I guess I misunderstood the original paper
> (http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks
> .pdf). It now looks to me like they are claiming they can disable
> password authentication *even while the system is not logged on* - do
> I have that right?

yes, if the system is off and you can turn it on (e.g. no bios or hdd
encryption passwords) you can bypass the logon screen. this is because
the tool searches for the function "MsvpPasswordValidate" in memory and
patches it to allow any password.

FD


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ