Re: Default Screen Saver Vulnerability in Microsoft Windows



On 2006-05-21 susam.pal@xxxxxxxxx wrote:
-- Advisory Name --
Default Screen Saver Vulnerability in Microsoft Windows
[...]
[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="logon.scr"

It can be seen that the default time-out value is 600 seconds or 10
minutes.

An attacker can replace the default screen saver (logon.scr) with the
command prompt (cmd.exe) and reduce the time-out period in a system by
using a trojan or some other means.

To be able to write to this registry key or to %SystemRoot%\system32
administrative or system privileges are required. Why do you believe
this to be a vulnerability?

-- Prevention --
[...]
Deny everyone all permissions on the registry key, "My Computer\
HKEY_USERS\.DEFAULT\Control Panel\Desktop". This will prevent any
malicious program, script or software from modifying the default
screen saver settings.

No. Administrative and system privileges include the ability to take
ownership and change the permissions back. You just can't protect a
system from its admin.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq