Re: Undoing Novell's GINA (and mt last post)From: Nick Staff (nstaff@ANGELSIN.COM)
- Previous message: Bronek Kozicki: "Re: Alert: Microsoft Security Bulletin - MS02-061"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Oct 2002 00:20:40 -0700 From: Nick Staff <nstaff@ANGELSIN.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I don't know what I thought I did, but I was wrong about this being
fixed by Microsoft's GINA, it's present in Windows 2000 and the latest
build of .net Enterprise Server.
From: Nick Staff
Sent: Sunday, October 13, 2002 9:29 PM
Subject: Undoing Novell's GINA
After installing Novell's client for Windows 2000/NT 4.0 v4.82 the UNDO
feature (Ctrl+Z) becomes enabled in the password field of the login
prompt. This means that if a user types in their password and then
deletes it because they decide not to log on it can be undeleted by
This is only the case when using the Novell supplied GINA and is fixed
by reverting back to Microsoft's.
Below are the steps to reproduce:
Steps to reproduce:
- stall Novell's client on Windows 2000 and reboot
- If prompted, at the logon screen press Ctrl+Alt+Del
- Type something in the password field and then delete it (use
backspace, the delete key, highlight and delete, any way you'd like)
- Hold down the Ctrl key and press Z once
- Password comes back
Yeah nobody may ever exploit this, I agree, but it's a dumb
vulnerability to have because it's not serving any purpose except to
make security weaker.