When people ask for security holes as features: Stealing passwords


Sometimes people ask for features that are such blatant security holes I don't know what they were thinking.

Is there a way to get the current user's password? I have a program that does some stuff, then reboots the system, and I want to have the current user's password so I can log that user back in when I'm done, then my program can resume its operation.

(Sometimes they don't bother explaining why they need the user's password; they just ask for it.)

Imagine the fantastic security hole if this were possible. Anybody could write a program that steals your password without even having to trick you into typing it. They would just call the imaginary GetPasswordOfCurrentUser function and bingo! they have your password.

For another angle on credential-stealing, read Larry Osterman's discussion of why delegation doesn't work over the network.

Even if you didn't want the password itself but merely some sort of "cookie" that could be used to log the user on later, you still have a security hole. Let's call this imaginary function GetPasswordCookieOfCurrentUser; it returns a "cookie" that can be used to log the user on instead of using their password.

This is just a thinly-disguised GetPasswordOfCurrentUser because that "cookie" is equivalent to a password. Log on with the cookie and you are now that person.

Comments (33)
  1. waleri says:

    What about RebootAndLogMeBackAsSameUser(); – no argument, no password, no cookie, no nothing – a bit more secure :)

    Still, no good idea – user should know why system reboots, therefore, rebooting should always be done with a user on the keyboard…

  2. Alex says:

    Isn’t your cookie analogy similar to the the existing Remote Assistance Invitations in Windows XP; a short term grant of access to a resource that you currently have access (and rights) to.

  3. Ilya Birman says:

    Imagine you somehow retrieved the password, now is there a way to reboot the system and auto login user? Just curious, don’t know why should this be needed :-)

  4. waleri,

    LogMeOnAsTheSameUser() has the same problem. How does it contact the domain controller to log the user on? You need to contact the DC during the logon process, because things like logon hours might have expired, etc.

    You can’t get that information.

  5. msemack says:

    When I bought an Intel motherboard recently, it had a bunch of software to install (chipset drivers, monitoring tools, etc). It required several reboots.

    Intel had written a "master" install program which installed the necessary componenets one by one, somehow preserving its state between reboots.

    One of the first things the installer did was ask for my username, password, and domain. It did this so it could auto-logon after each reboot. It was optional. If I didn’t, I would have to log back in each time.

    I was really nervous when I first ran the setup, because I’ve seen so many crappy installers. I figured an install routine that complicated just had to botch up at some point. Surprisingly, it didn’t. That same install of Windows is over 3 years old, not a single problem.

    Although, I wondered about the various reboots. Why couldn’t everything be installed at once, and then reboot once? Never figured it out.

  6. AC says:

    It’s true, the user’s login password can’t be accessed by any program, but all the following are 100% accessible:

    – MSN messenger password

    – Outlook Express, all passwords

    – Outlook passwords

    – All passwords from "Protected storage" (stored by IE)

    – Dial-up passwords

    – Network passwords used to access the shares and .NET passwords

  7. svott says:

    Ilya,

    Check out how TweakUI automatically logs in a user on startup when you edit the Autologin settings.

    It modifies registry keys at

    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    to specify the username/domain/password.

  8. Pablo says:

    I remember when installing visual studio.net the setup program did something like this…

    the real question is HOW ?

  9. Miles Archer says:

    How about a "one time pass" where you ask for a special code that lets you bypass the password once? It’s only good for one login, and perhaps for a limited time. And, if you ask for another pass, it invalidates the previous one.

    This is a solution to a problem that I don’t have, so it’s just curiosity.

  10. RichB says:

    What’s wrong with a RebootIntoCurrentUser() function? Or am I thinking too laterally?

  11. ChrisB says:

    Ok, you want a user’s password?

    Stub GINA.

    When winlogon calls WlxLoggedOutSAS you call the original GINA’s WlxLoggedOutSAS function. You can use the PWLX_MPR_NOTIFY_INFO to get the password in clear text.

    Chris

  12. boxmonkey says:

    This is a slight diversion (how shocking!), but your mention of tricking users into typing their password reminded me of the following:

    If you leave Outlook 2000 running in the background and for whatever reason connectivity is lost and then restored, it pops up a dialog asking for your username, password and domain. The problem is that the dialog gives no indication of which application it’s tied to, so users don’t know who needs their password, or why.

    I always dismiss the dialog just in case, but if I wrote a program that looked similar and all it did was ask for a username and password, I bet I could steal the passwords of 90% of the people who work here.

  13. msemack says:

    Boxmonkey,

    You raise a good point.

    People always hold up OSX’s security model as the "proper way" to do a limited user account. You run as a normal user (not admin), and when an app needs admin privs (say during install), OSX displays a dialog, asking for the admin password.

    I always thought this model was a bit of a security placebo. It conditions people to enter their admin password whenever it’s asked for. Also, how hard would it be to craft my own dialog that looks like OSX’s?

  14. Anonymous Coward says:

    Also, how hard would it be to craft

    > my own dialog that looks like OSX’s?

    Lotus Notes used hieroglyphics in an attempt to prevent trojan logins (see http://www.encode-sec.com/pdf/esa0101.pdf).

    Re: possible reasons for not allowing an auto-reboot into a user: maybe it would be easier to write attacks for Windows if hackers didn’t have to worry about whether they required a reboot or not…

  15. Gene Hamilton says:

    msemack:

    Some installers on Windows do prompt for admin privs when running as a limited user. (VS.NET for one does.) Unfortunately many installers do not.

  16. vamitra says:

    RebootIntoCurrentUser: Also poses a problem where lets say for instance, you know a particular user shuts down their computer before they leave the office, you just have to execute that function before the machine shuts down. Then you can later start up the machine with different their credentials, and possibly access encrypted files etc on their account.

    There are too many scenarios like this that would make a function like this a big hole.

  17. Sriram says:

    I see that Pablo has already got to the question I wanted to ask – VS.NET setup used to do something very similar to this a long time ago.

  18. foxyshadis says:

    Although, I wondered about the various reboots. Why couldn’t everything be installed at once, and then reboot once? Never figured it out.

    A lot of installers seem to require reboots every time it might be required, because of a conflict, an older OS requirement, or whatever. I’m willing to bet that even if Longhorn manages to achieve ‘no-reboot’ capability, setup programs will still ‘require’ it.

    Is it possible to get the kerberos ticket and recycle that for the next logon?

  19. Mat Hall says:

    "A lot of installers seem to require reboots every time it might be required…"

    99.9% of programs that install and then claim you need to restart to get it to work will, if you’re running XP, work fine without a restart. The only things that seem to be telling the truth are virtual device drivers — CD image drives, etc.

    I’m fairly sure than when XP was imminent some claim was made about it never needing rebooting due to installs, etc. It was with much surprise, then, that I discovered that one surefire way of needing a reboot is by running the network setup wizard; one of the options in there (I forget which) invariably requires a reboot to take effect. Service packs, too, require rebooting, although that’s pretty excusable — I guess some OSes can replace the kernel from under themselves, but it’s got to be tricky to pull off… (I wish the Windows Update "your machine needs to be rebooted" message had a "remind me never" option — I’m fed up with dismissing it several times before I’m ready. :)

  20. Scot Boyd says:

    Dear Windows Development Community,

    Never reboot my machine without my permission.

    Hugs and Kisses,

    Scot Boyd

  21. oldnewthing says:

    If you have a "one time pass" or "RebootIntoCurrentUser" you still have problems. One is security: Nobody expects a powered-off machine to be a security hole. And just because the pass can be used only once, you still gave away a pass. Would you give away a one-time key to your house? "But it can be used only once!"

    Second is security: In order for you to be authenticated against the domain controller, you have to present your password. But the local computer *doesn’t know your password* (it’s the domain controller that knows your password). In other words, the information isn’t even the local computer’s to give away if it wanted to.

  22. boxmonkey says:

    Scott: haha. Care to get a petition going on that? I’d sign it A THOUSAND TIMES.

  23. boxmonkey says:

    Oops. Scot. Sorry about that.

  24. Puckdropper says:

    Having Windows relogin on boot would be useful during maintainance or program reinstall, but the general rule of thumb I follow with newer systems is to keep the user around to enter the password. I’ve never had anyone complain when I’ve given up the keyboard so they can enter the password (but I’ve also worked on relatively few systems) and then continue with what I’m doing.

    My theory on why install programs constantly ask for reboots is installer writers found Windows ran better with their "new" software after a reboot so they asked for it even when it wasn’t needed.

  25. James Slater says:

    Windows Server 2003 (at least the Small Business Edition) asks for your password during setup so that it can reboot and log back in again.

    It even promises it won’t remember it and use it again. :-)

  26. Mike Dimmick says:

    msemack: That’s why Longhorn will have a Protected Admin feature. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp. I agree that it’s way too easy to spoof the admin password prompt. The Run As feature in Windows 2000 and higher suffers the same problem.

  27. Universalis says:

    It may well be that Windows XP has been designed not to require reboots but unfortunately very few people use Windows XP on its own: most of them run programs on it, and it’s the programs that cause the trouble!

    My users get constant problems when trying to install an updated build of my application. The app itself really truly isn’t running (we can check Task Manager and it isn’t) but the .EXE file is still being held open.

    When it happens to us, the sysinternals Handles utility reports that explorer.exe is the program that is holding the .EXE file open, so theoretically we could talk the user through "Ctrl+Alt+Del, terminate explorer.exe, install the app, restart explorer.exe"… except that occasionally the culprit is reported as winword.exe instead (the application in question has nothing to do with Word!)

    On the whole, it seems simpler and safer to shut down and restart rather than mess around with Task Manager… but it’s a major irritation nonetheless.

    Possibly Norton Anti-Virus may be opening and failing to close the .EXE file, and committing its crime in the context of a perfectly innocent process; but that comes straight back to the basic point: however robust you make Windows, some people *are* going to ruin everything by using it to run programs.

  28. bt398 says:

    well, you *can* actually get the user’s password in old versions of Windows:

    http://www.securityfocus.com/archive/1/10924

    http://www.microsoft.com/technet/security/bulletin/MS99-052.asp

  29. William Stacey says:

    They also forget Windows does not know the password. It knows the hash. And you need to know the clear password to gen the same hash. Naturally, it do a dictionary attack on itself, but not a solution. Maybe a one time pw as others said.

  30. Norman Diamond says:

    Wednesday, May 04, 2005 4:02 PM by Mat Hall

    > It was with much surprise, then, that I

    > discovered that one surefire way of needing

    > a reboot is by running the network setup

    > wizard; one of the options in there (I

    > forget which) invariably requires a reboot

    > to take effect.

    If your primary IP address is a fixed address then changing the address sometimes requires a reboot. (Why sometimes and why not other times, maybe to be compatible with both Windows 95 and NT?)

  31. Because you’re not logged on.

Comments are closed.