Re: Undoing Novell's GINA (and mt last post)

From: Nick Staff (nstaff@ANGELSIN.COM)
Date: 10/19/02


Date:         Sat, 19 Oct 2002 00:20:40 -0700
From: Nick Staff <nstaff@ANGELSIN.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I don't know what I thought I did, but I was wrong about this being
fixed by Microsoft's GINA, it's present in Windows 2000 and the latest
build of .net Enterprise Server.

Thanks,

Nick Staff

-----Original Message-----
From: Nick Staff
Sent: Sunday, October 13, 2002 9:29 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Undoing Novell's GINA

After installing Novell's client for Windows 2000/NT 4.0 v4.82 the UNDO
feature (Ctrl+Z) becomes enabled in the password field of the login
prompt. This means that if a user types in their password and then
deletes it because they decide not to log on it can be undeleted by
pressing Ctrl+Z.

This is only the case when using the Novell supplied GINA and is fixed
by reverting back to Microsoft's.

Below are the steps to reproduce:

Steps to reproduce:
- stall Novell's client on Windows 2000 and reboot
- If prompted, at the logon screen press Ctrl+Alt+Del
- Type something in the password field and then delete it (use
backspace, the delete key, highlight and delete, any way you'd like)
- Hold down the Ctrl key and press Z once
- Password comes back

Yeah nobody may ever exploit this, I agree, but it's a dumb
vulnerability to have because it's not serving any purpose except to
make security weaker.

Thanks,

Nick