Everhart,Glenn From: Christopher L Buono [cbuono@ALBANY.NET] Sent: Monday, March 23, 1998 11:03 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: NT Screen Saver Password Protect Bug I don't know if this bug has already been identified. Because it still exists in NT 4.0 SP3 I'll assume it hasn't. On NT 3.51 SP4, SP5, and NT 4.0 SP3 Server and Workstation (and I assume all versions in between) screen saver password protection can be disabled simply by renaming the .scr file that is in use by the logged on user. For reproduction purposes this is what I did: 1) Logon to a network connected NT workstation or server and set the screen saver for 3D Text (or any valid PW protectable screen saver) w/ password protection enabled and w/ a timeout value of one minute greater. 2) Allow screen saver to activate. 3) Logon to another network connected machine and map a drive to the machine referenced in step #1 (C$ or ADMIN$). 4) Within the mapped drive rename %systemroot%\system32\sstext3d.scr to *.scx. 5) Deactivate the screen saver on the first machine by moving the mouse. 6) Wait for the screen saver timeout period to elapse. 7) Press Ctrl-Alt-Del and select Cancel from the Windows NT Security window. 8) You're in! I reproduced this outcome on various machines, with various screen savers, and with various :~) NT versions. This is one of those situations where if you already have administrative privileges enough to connect to C$ or ADMIN$ then who cares if you can remove somebody's password protection. I thought of at least one situation where this could be abused. "I am a Domain Admin for a master domain. I travel to a remote site with a resource domain that trusts the master domain. I logon to an NT workstation to do some work. Lunch time comes around and I verify that my screen saver has activated and is locked with password protection enabled. I leave the workstation. The local LAN Administrator, who is an Administrator for the resource domain, maps a drive to the workstation I am logged onto and performs the above procedure. The person is now able abuse all of my privileges as if s/he were me." Microsoft has been copied on this. Christopher Buono, CNE, MCSE: cbuono@albany.net Anemone