Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Windows logon.scr hack

  1. #11
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    oh.. is dis Win2000 Pro??

  2. #12
    Junior Member
    Join Date
    Nov 2001
    Posts
    27
    sonic: windows 2000 any version is the new NT distro. meaning its Windows NT 5.0. a basic system information request will tell you that.
    all work and no play makes bios a dull boy

  3. #13
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    sonic: yes I'm referring to Win2K pro but supposedly this same hack works on NT 4 though I have yet to try it.
    Humans are the weakest link in the computer security chain...

  4. #14
    hmm.. well don't know much about the debate going on here. I'm going to try out this hack
    tommorow. Somtimes if you can visualize a problem you can find a better solution.

    Nice vulnerability though

  5. #15
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Originally posted here by bios
    sonic: windows 2000 any version is the new NT distro. meaning its Windows NT 5.0. a basic system information request will tell you that.
    yes it is basically NT 5.0 in that it is the system built for a networked enviroment, but it is signifantly different from the previous NT systems in how it deals with security.
    -8-

    There are 10 types of people in this world: those who understand binary, and those who dont.

  6. #16
    so... the best thing to do here - except converting to ntfs - is to rename your cmd.exe and copy an empty file (or some other harmless prog.) to cmd.exe
    (it would be funny to create some small prog. that tells the hacker he's been logged... )

    If a hacker attemps this hack this would at least have 'm wondering why it doesn''t work ..
    It's very easy to solve though..

    M$ should have created a way to disable the logon.scr ...
    who knows?

  7. #17
    even tho ntfs reduces the risk of this happening would there be ne way to get around it to implement this????

  8. #18
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    cmd.exe is not the only executable that works with this trick. You can basicly use any executable. On NT4 you can use musrmgr.exe, on win2k it should work with msc.exe.

    And what about putting in an executable I made myself? This exe could create a new local account and give it admin rights. Should be really easy to program. For some added stealth you could run the renamed logon.scr so noone will notice

    The ONLY way to prevent hacks like this is to switch to ntfs and put some solid ACLs on %windir% and everything underneath.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #19
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It's worth noting that:

    1. This attack does not work if the permissions on the NTFS filesystem and the registry are correctly setup, as they will be if you do a fresh install of NT4 (+win2k, winxp pro etc)
    2. An alternate method of performing this attack is to modify a key in the registry to change the logon screensaver to something else. Renaming cmd.exe is lame. Many things rely on cmd.exe being called that and hence will not work (probably including much of Microsoft's own stuff)
    3. Anyone with console access who can boot off a floppy can easily bypass the permissions on the registry and do this hack.
    4. That isn't really a problem, because with console access they can do anything anyway

    Don't rename cmd.exe or you will have real problems.

  10. #20
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    FAT is an unsecured FS bottom line. You could use registry keys to deny acces to the control panel->display after turning off the screen saver,but some one with physical access could just as easily use a boot floppy to copy the .sam as replace the screen saver. Just comes down to risk management. Tell your boss to quit being a weenie and use NTFS (at least for the System drive). Depending on the security required I would personally delete all dangerous binaries such as cmd.exe tftp.exe net.exe finger.exe ,etc,etc. or move them to a seperate location and allow ONLY the admins execute rights. (System cannot take ownership so buffer overflow attacks will be much harder to achieve) Although I have not had problems with removing these files you may find Win2000 likes to put them back for you, this is because copies are stored in dllcache by Windows File Protection which can be disabled here:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon

    You must set (or create) the SFCDisable to REG_DWORD 'ffffff9d'

    good luck!


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •