Weird WinME Login Bug

From: Blyke (blyke@webmasterclub.de)
Date: 08/01/02


From: Blyke <blyke@webmasterclub.de>
To: vuln-dev@securityfocus.com
Date: Thu, 1 Aug 2002 22:47:19 +0200

Hi there,
I just found a bug in WindowsME. Please check, if it works with you, too, or
if it's just a local problem with my setup. I'm sorry, if someone already sent
this bug to the mailinglist, but I couldn't find such a thread.

 Regards,

     blyke

 Risk: Little?
 Weirdness factor: High

 This bug enables you to login to someone else's profile, without knowing
 that persons password. This is no real security risk, as you can access
 anyones files, anyway.

 How it works:
 Your WinME box must be configured, so it starts with the Microsoft Network
 login. After one failed login try, the normal login screen appears.
 (Thats the default setup, when using the Microsoft Network Login).

 1. Start your computer
 2. When the login appears, enter the users ID and some other password
 3. Now login with your own combination
 => The desktop you will see, is not yours, but the desktop of the first
 username you entered.

 Explanation:
 I can't really explain this phenomena, but the most likely explanation is,
 that the login functions of windows save the username of the first login
 attempt in one variable, and then just check, if the combination "username"
 and "password" are right, but don't check, if the new username entered is
 the same as the one entered in the family login. If the combination works,
 the profile, that is started, though, is the one of the username, saved
 before.
 Please inform me, if you find out anything else about that bug, or if some
 of the things, I mentioned here, prove to be wrong.