COMMAND
GINA
SYSTEMS AFFECTED
Win NT 3.x, 4.0
PROBLEM
David Reed found following. Apparently the windows nt logon
dialog, including the "unlock workstation" dialog, contains two
ole container/object fields --> the username field and the
password field. Both fields will respond to the standard CTRL+X,
CTRL+C, CTRL+V shortcut keys... at the console and via remote
control (tested sms with key-pass-thru on, but assuming timbuk and
others work as well). Anyone can lock NT4sp4 computer and
otherwise believe it to be reasonably secure and some users even
set their screensavers to password protected (wow!), with the
assumption that it is completely secure, however at least part of
nearly ANY clipboard contents are potentially available to someone
with physical access to the box...
While not a huge security hole (physical security is almost
everything!), it is "worrisome". Initial testing shows that most
types of ole objects (obviously) aren't available, so the nudie
pics the boss was cut-n-pasting won't show up this way, but text
or objects immediately convertible to text are (rtf, html, etc),
such as sensitive passwords, review details, salary data, etc. up
to the first carriage return. Exploit is quite simple:
1. at any locked nt4 console (or via remote control) give the
three fingered salute
2. either shift+tab to highlight the username or use the mouse
3. ctrl+v to paste the contents of the clipboard over the
username
This makes the contents of the clipboard visible, up to the first
CRLF. In worst case you have your password or the administrator's
on the clipboard for some stupid reason and a wily cracker pastes
it into the password field and gains access to your desktop...
SOLUTION
Windows NT 4.0
--------------
A supported fix that corrects this problem is now available from
Microsoft, but has not been fully regression tested and should be
applied only to systems determined to be at risk of attack. If
your system is sufficiently at risk, Microsoft recommends you
apply this fix. Otherwise, wait for the next Windows NT 4.0 or
Windows NT Server 4.0, Terminal Server Edition service pack that
contain this fix. To resolve this problem immediately, contact
Microsoft Product Support Services to obtain the fix. For a
complete list of Microsoft Product Support Services phone numbers
and information on support costs, please go to the following
address on the World Wide Web:
http://support.microsoft.com/support/supportnet/default.asp
The version of this fix should have the following file attributes
or later:
Date Time Size File Name Platform
-------------------------------------------------------------
01/18/99 07:06p 124,176 Msgina.dll (x86)
01/18/99 07:08a 160,528 Msgina.dll (Alpha)
Windows NT 4.0 with Service Pack 4:
-----------------------------------
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Gina-fix/
Windows NT 4.0 with Service Pack 3:
-----------------------------------
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/Gina-fix/
WARNING: If you install the SP3 version of this hotfix you may
invalidate other Post-SP3 hotfixes that also include the
replacement of Msgina.dll in the %Windows%\System32 folder. To
eliminate the vulnerabilities identified in this fix and other
Post-SP3 fixes, please install Service Pack 4 and then apply the
Post-SP4 version of this hotfix.
Windows NT Server 4.0, Terminal Server Edition
----------------------------------------------
This hotfix has been posted to the following Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3/Gina-fix/
NOTE: If this product was already installed on your computer when
you purchased it from the Original Equipment Manufacturer (OEM)
and you need this fix, please call the Pay Per Incident number.
Windows NT 3.51
---------------
A hotfix is not available for Windows NT 3.51.