Hi,
I've often found this behaviour during security assessments for corporate
Clients.
It should indeed be considered a vulnerability, especially in enterprise
scenarios where for instance it can be leveraged by a regular notebook
user to escalate privileges and be able to access all other corporate
user's notebooks (including their bosses';).
Cheers,
MI
On Thu, 11 Jul 2013, Dnegel X. wrote:
1. I didn't find an explanation about this behavior that deals with
installation password, although this LSA Secret is well known to
contain passwords, mainly from Windows XP era. Could you provide a
link?
It also hasn't been fixed in Window 8 released this year.
2. You could e.g. retrieve a password from one vulnerable machine
(where physical access or admin shell is possible) and use it against
more secure ones sharing same admin password, typically when a Windows
image is replicated over a network to multiple machines.
Anyhow, having a cleartext password residue somewhere without
documentation looks like a sad bug to me.
Xavier
On Thu, Jul 11, 2013 at 7:35 PM, Rob <synja@xxxxxxxxxxxxxxxxx> wrote:
Two things:
1. This was made public sometime in 2012 or earlier IIRC.
2. Exploiting this requires the same permission levels that would be
required to change or access the password anyway. Where's the realistic
security threat?
Rob
--
------------------------------------------------------------------
Marco Ivaldi OPSA, OPST, OWSE, QSA, ASV
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via Santorelli, 15 Fax: +39-011-32.46.497
10095 Grugliasco (TO) - ITALY http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
