Re: Undoing Novell's GINA (and mt last post)

From: Nick Staff (nstaff@ANGELSIN.COM)
Date: 10/19/02


Date:         Sat, 19 Oct 2002 00:20:40 -0700
From: Nick Staff <nstaff@ANGELSIN.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I don't know what I thought I did, but I was wrong about this being
fixed by Microsoft's GINA, it's present in Windows 2000 and the latest
build of .net Enterprise Server.

Thanks,

Nick Staff

-----Original Message-----
From: Nick Staff
Sent: Sunday, October 13, 2002 9:29 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Undoing Novell's GINA

After installing Novell's client for Windows 2000/NT 4.0 v4.82 the UNDO
feature (Ctrl+Z) becomes enabled in the password field of the login
prompt. This means that if a user types in their password and then
deletes it because they decide not to log on it can be undeleted by
pressing Ctrl+Z.

This is only the case when using the Novell supplied GINA and is fixed
by reverting back to Microsoft's.

Below are the steps to reproduce:

Steps to reproduce:
- stall Novell's client on Windows 2000 and reboot
- If prompted, at the logon screen press Ctrl+Alt+Del
- Type something in the password field and then delete it (use
backspace, the delete key, highlight and delete, any way you'd like)
- Hold down the Ctrl key and press Z once
- Password comes back

Yeah nobody may ever exploit this, I agree, but it's a dumb
vulnerability to have because it's not serving any purpose except to
make security weaker.

Thanks,

Nick



Relevant Pages

  • Re: Smart card logon & remote desktop
    ... universal adoption of Windows Vista and Windows ... I am with Slav in suggesting that writing your own GINA is ... I can successfully login using my smart card, ... station does not become locked whatever the state of the "smart card ...
    (microsoft.public.security)
  • Re: Hide Username when pc awakes
    ... system will begin to boot Windows XP Pro. ... There's an important element of security ... User IDs are never designed to be secret, ... Platform Software Development Kit that has GINA samples in it. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: GINA logon w/ Logon Message Error
    ... I can do a search for any GINA ... nass Wrote: ... I have two windows that pop up.... ... DLL file and its not mentioning GINA now. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: GINA logon w/ Logon Message Error
    ... I can do a search for any GINA ... When I reboot my computer, I have two windows that pop up.... ... Error Message: Unable to Log You on Because of an Account ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Admin Acct IS NOT in User Accts
    ... Shenan Stanley wrote: ... username as "administrator" and the password as either whatever you ... used to utilize *or* leave the password field blank if you did not ... There is important information there dependent on the version of Windows XP ...
    (microsoft.public.windowsxp.security_admin)