:[ Q3Arena.com Message Board ]: : I think I just discovered a security flaw in windows xp

my profile | register | search | faq | forum home

»	:[ Q3Arena.com Message Board ]: » The Lounge » I think I just discovered a security flaw in windows xp

UBBFriend: Email this page to someone!

Author

Topic: I think I just discovered a security flaw in windows xp

AcidWarp
Sarge
Member # 997

Member Rated:

posted 10-09-2004 06:37 PM

Big surprise right? Heh, well, I don't know if this has been documented or not, I don't remember hearing about it and I try to stay on top of these things. I was working on a customer's machine and the user accounts are password protected. I logged on to the first account and it didn't ask for the password, instead it started to log in, then flashed a warning saying the password is about to expire, would I like to change it. I said no, because I don't feel like changing customer passwords, and it logged me right in. Now, I KNOW the account is password protected, this seems like a rather serious glitch. I'll have to investigate it further I think.

--------------------

“I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road.”

“Intelligence is the ability to adapt to change.”

--Dr. Stephen Hawking.

Posts: 4363 | From: Waterloo, Ontario | Registered: Nov 1999 | IP: Logged

dAm
Sarge
Member # 2600

Member Rated:

posted 10-09-2004 08:53 PM

any chance they were using tweakUI to auto-login on that account and never bothered disabling the password expiration thing in Windows for that account? Just a thought.

--------------------

Shut-up and fish

Posts: 577 | From: Calgary | Registered: Nov 2001 | IP: Logged

AcidWarp
Sarge
Member # 997

Member Rated:

posted 10-10-2004 02:59 PM

Not a chance in hell.

This was from the welcome screen.

[ 10-10-2004: Message edited by: AcidWarp ]

--------------------

“I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road.”

“Intelligence is the ability to adapt to change.”

--Dr. Stephen Hawking.

Posts: 4363 | From: Waterloo, Ontario | Registered: Nov 1999 | IP: Logged

Snag
Sarge
Member # 992

Member Rated:

posted 10-11-2004 01:01 AM

can you reproduce it? that is the key question. fire up MMC, change the password expiration, reboot...but bump the date in the BIOS. If you cannot reproduce it, you did not discover anything as there are more underlying conditions that caused it.

Posts: 2606 | From: Canada | Registered: Nov 1999 | IP: Logged

AcidWarp
Sarge
Member # 997

Member Rated:

posted 10-11-2004 02:28 AM

I haven't tried at home here, on my personal machine. I was going to try at work on tuesday.

--------------------

“I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road.”

“Intelligence is the ability to adapt to change.”

--Dr. Stephen Hawking.

Posts: 4363 | From: Waterloo, Ontario | Registered: Nov 1999 | IP: Logged

AcidWarp
Sarge
Member # 997

Member Rated:

posted 10-11-2004 02:48 AM

Okay, just tried it here, and it is completely reproduceable. It was a sinch. I ALSO found a way to change a password for an account, without knowing the old one, but that might have been a fluke.

I was also able to reproduce the issue from the NT login box.

Basically, it will NOT ask you for a password, at will give a warning box saying: "your password will expire in X number of days would you like to change it now" with 'yes' or 'no' options. If you click no, it just logs you in. I know that it didn't save the password, because when I tried the NT logon box, I didn't enter one, I just left that line blank.

I also discovered that you can force change a password, without knowing the old one. If you click 'yes' and it brings up the password change screen, if you mismatch the passwords, it'll give you an error, and blank out both the new, and old password boxes, the old password box only shows dots anyway, so that doesn't matter. But if you then enter a password in the old password box, it changes the password to a blank one.

--------------------

“I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road.”

“Intelligence is the ability to adapt to change.”

--Dr. Stephen Hawking.

Posts: 4363 | From: Waterloo, Ontario | Registered: Nov 1999 | IP: Logged

Flux
Sarge
Member # 3052

posted 10-11-2004 12:34 PM

quote:
Originally posted by AcidWarp:
...the old password box only shows dots anyway, so that doesn't matter.

LOL! Dude, it enters the old password for you. Besides, it won't ask you to change it until after you log in.

Check security options. I doubt you've found anything wrong. I'm sure if it was this easy to change passwords, someone would've said something by now.

--------------------

Posts: 794 | From: | Registered: Jan 2004 | IP: Logged

AcidWarp
Sarge
Member # 997

Member Rated:

posted 10-11-2004 01:32 PM

You never know.

quote:
Originally posted by ME: ... if you mismatch the passwords, it'll give you an error, and blank out both the new, and old password boxes. . .

Flux, read son, READ.

Like I said, the password thing might have been a fluke. The old password box showing dots was blanked out by windows, AFTER it gave me an error. And I'm pretty sure that I entered the wrong password for the old password, after the error.

[ 10-11-2004: Message edited by: AcidWarp ]

--------------------

“I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road.”

“Intelligence is the ability to adapt to change.”

--Dr. Stephen Hawking.

Posts: 4363 | From: Waterloo, Ontario | Registered: Nov 1999 | IP: Logged

All times are ET (US)