Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29550
HistoryJul 15, 2013 - 12:00 a.m.

Windows 7/8 admin account installation password stored in the clear in LSA Secrets

2013-07-1500:00:00
vulners.com
13
JSON

Bug title: Windows 7/8 admin account installation password stored in
the clear in LSA Secrets
Affected systems: Windows 7, 8 (related issue on XP)
Author: Xavier CC

Background:

"Windows LSA Secrets" are stored in an encrypted form in registry
along with the respective encryption keys at
HKEY_LOCAL_MACHINE\Security\Policy\Secrets which is not directly
accessible by an admin account. SYSTEM permissions are required to
browse this key, which can be achieved by installing any service,
dumping the registry hives by booting another OS on the machine, or by
getting any sort of quick admin access (unlocked computer).

Each secret contains a modification timestamp (Cupdtime), the current
encrypted value (CurrVal), a security policy saying which user can
access the secret (SecDesc), but it also stores the previous value of
the secret (OldVal) and its modification timestamp (OupdTime). By
using the standard Windows API, changing the value of a secret will
automatically keep the previous value as OldVal. [1]

When using autologin feature, the password for the autologged account
is stored as the current value of DefaultPassword secret for Windows
to use it instead of asking the password to the user.

Bug description:

DefaultPassword secret also stores the admin account password provided
during Windows 7/8 installation.
During the first boot, the DefaultPassword current value contains the
user password. After a reboot, the current value is overwritten with
an empty value but the mechanism behind the LSA Secrets keeps the
cached password as the old value which is still accessible until
someone changes the secret.

Because the user is not prompted for his/her password at first boot,
we believe the autologin feature is being used at that time and
disabled right after, making the password cached in the LSA Secrets.
Failure to properly erase the password used for autologin is believed
to be the cause of the problem.

Proof of concept:

  • Boot on a Windows 7/8 installation disk and proceed with installation
  • Provide a password for the created admin account on "Set a password
    for your account" screen
  • After being logged on to the desktop, reboot the computer
  • With admin privileges or by booting on another device, dump the
    SYSTEM and SECURITY hives
  • On any computer, launch ElcomSoft Proactive System Password
    Recovery, go to Advanced features > NT secrets, check Manual
    decryption, provide the dumped hives, check Show old secrets and press
    Manual decryption
  • Two values of DefaultPassword are shown: the current one which is
    empty, and the old one, which contains the password provided at
    installation in plaintext

Vulnerable/tested versions:

Checked on Windows XP SP3 x86, Windows Vista SP2 x86 Business, Windows
7 SP1 x64 Home Premium/Pro, Windows 8 x64 Pro (MSDNAA ISOs)
Affected products: Windows 7, 8

On Windows XP, the password provided at installation is not cached.
However, when an admin user changes his/her password when currently
logged with his/her account using User Accounts in Control Panel, the
changed password is cached as the current value of DefaultPassword.
The previous password is still stored as the OldVal of the secret.
Windows XP does not store the password when it is changed through net
user or control userpasswords2. Non-admin passwords are not cached
either. [2]

Windows Vista doesn't seem to be affected by installation password nor
password change plaintext caching. It is to be noted that a user needs
to enter his/her password even on the first boot.

On Windows 8, only local accounts are vulnerable while online
Microsoft accounts, created or already existing, are not subject to
this plaintext caching. In addition, at the first boot, it is possible
to see the DefaultPassword's OldVal which gets replaced at
installation. While it is empty on Windows 7, the value is "ROOT#123"
on Windows 8 (and Vista), which appears to be the default admin
password on some beta builds.

Real-world exploitation scenarios:

A malicious user who gets a quick access to a system with admin
privileges can retrieve an admin password in little time and later use
this password, if it has not been changed since installation, for
wider malicious purposes.

When using a company, school or public computer such as the ones
provided for a short period loan, a malicious user has all the liberty
to physically retrieve the needed registry files to get the admin
password of the local machine and can then compromise all similar
computers using the recovered password independently of its
complexity.

Vendor contact timeline:

2013-05-20: Bug found
2013-06-14: Contacted Microsoft Security Response Center
2013-06-14: Reply from Microsoft SRC:
"the behavior you are reporting is not something that we
consider a security vulnerability"
2013-07-11: Disclosure

Workarounds/Limitations:

  • Do not setup a password during installation, or change it right
    after (recoverable password becomes useless).
  • Store an empty value as DefaultPassword through
    LsaStorePrivateData() to flush the old value containing the password
    (requires admin privileges).
  • During the first boot after installation of Windows, store twice an
    empty value to flush completely.
  • Delete HKEY_LOCAL_MACHINE\Security\Policy\Secrets\DefaultPassword
    (requires SYSTEM privileges).
  • Network installation for Windows 7/8 (SCCM) do not seem to be
    affected by the issue.

References:

[1] http://www.passcape.com/index.php?section=docsys&cmd=details&id=23
[2] http://seclists.org/fulldisclosure/2006/May/119

JSON