THE PROBLEM:
Windows NT allows users to save their RAS credentials by using the 'Save
Password' checkbox when making a dial-up connection. Credentials saved in
this manner are stored in the
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0 registry
key. These credentials can be enumerated using the LSA secrets code. (As
identified by Paul Ashton in a prior submission to NTBugtraq)
If a user does not check the 'save password' checkbox to prevent the
password from being stored, RAS will STILL save the successful connection
information, including the password, in the
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasDialParams!SID#0 registry
key. This can be enumerated using the LSA secrets code.
NOTE: Administrator privileges are needed to execute the LSA secrets code.
OUR REASONING FOR THIS BEHAVIOR:
We think that this behavior exists so that Windows NT can automatically
re-establish a dial-up session that has been unexpectedly terminated. In
order to "re-dial", Windows NT needs to maintain the RAS credentials for
automatic re-authentication.
We believe that Windows NT uses the RasDialParams key to maintain the RAS
credentials for just this purpose (instead of maintaining them in temporary
protected memory). Unfortunately, the credentials are not cleared from this
key after the session is properly terminated.
IMPACT:
The following scenarios are some potential areas where we think this
behavior could give access to username and password information that
couldn't be gained from the NT SAM.
1) A user may have a dial-up ISP account with an account name and password
that is separate from their local\domain NT account.
2) Users may have RAS/PPTP access to domains other than the domain that the
user is a member of, also not stored in the SAM. (Vendor connections,
non-trusted domains, etc)
3) If an Administrator attempting to troubleshoot or set-up a users
workstation needs to dial in from the workstation and doesn't click the
'save password' box, then he/she should be able to assume that his
password will not be saved on that users workstation.
4) Windows NT 'public access' machines, such as the machines available at
training classes, airports, etc..
WORKAROUND:
There does not appear to be any method to prevent this behavior from
occuring.
REPRODUCTION:
Reproduced on three Windows NT 4.0 workstations, and one Windows NT 4.0
Server.
Log on as a user, identify the SID of the user using getsid or any other
means. Use the LSA secrets code to dump the RasDialParams and
RasCredentials for the user. Create a new dial up networking connection.
DONOT save the password. After successfully connecting to the remote end,
re-dump the RasDialParams and RasCredentails entries. The new successful
connection password will be saved in the RasDialParams value even though
you didn't check the 'save password' box.
Microsoft was notified of this one week ago.
Lisa O'Connor
Martin Dolphin
Joe Greene
Eric Schultze