DSR - DTORS SECURITY RESEARCH

  By: mercy
  Date: 30/06/2003
  Advisory for: First Security Agent.
          First Screen Lock Package.
  (http://www.softheap.com/)


About the Product:

"1st Security Agent is an excellent password-protected security utility to 
secure Windows-based computers. It works under any Windows platform and offers 
an administrative support for controlling which users are allowed to access your 
computer and the level of access each user may have."

Description of Vulnerability:

1st Security Agent stores its password settings by default under the Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\SaSkda

It stores two vulnerable settings by default:

LockPwd - stores the passwords in plaintext (Un-encrypted) and writeable.
LockPwdEnabled - stores the value writeable (Modifiable) by all users.

With these two Settings, a user can either:

a.) Read the password set by a user, potentially leading to further compromise of
    the system if the password is used more than once.
b.) Change the password to restrict other users from their machines.
c.) Disable Screen Lock.


Example:

Setup screen lock, enter a default password and open up the Registry keys folder.
You will see your specified password in plaintext in the LockPwd key.
Right click on LockPwd and select modify, change the value from the password you
specified and try unlocking your screen. The new password is the effective one.

Right Click LockPwdEnabled and change the Value Data to 0, run the screen lock and
you will not need a password to continue.

Fix:

Until the vendor releases a patch for these vulnerabilities, you should modify user
access privileges, disabling registry editing, and change the world writeable 
specifications to something such as Admin.
Isolate your default password, meaning use something that you don’t use for other 
applications, this will prevent further privilege escalation.

Contact:

mercy@dtors.net
http://mercy.dtors.net
http://www.dtors.net
irc://irc.dtors.net #dtors