Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microwin admin password stored in plain text in unattend.xml #3064

Open
kinou74 opened this issue Nov 23, 2024 · 3 comments · May be fixed by #3066
Open

Microwin admin password stored in plain text in unattend.xml #3064

kinou74 opened this issue Nov 23, 2024 · 3 comments · May be fixed by #3066
Labels
bug Something isn't working

Comments

@kinou74
Copy link

kinou74 commented Nov 23, 2024

Describe the bug

Hello
I've just tested microwin with a Win11 Ent LTSC image and found that the unattend.xml file at the root of C drive contains (twice) my local admin password stored in plain text.

To Reproduce

Steps to reproduce the behavior:
Create an image with microwin and set an admin account
Once Windows is installed from the new image, an "unattend.xml" file is left at the root of C: and this file contains the admin password in plain text,

Expected behavior

unattend.xml file shouldn't contain plain text password, hashed version instead.
@kinou74 kinou74 added the bug Something isn't working label Nov 23, 2024
@CodingWonders
Copy link
Contributor

@kinou74, from my experience with using the unattended answer file generation service that this project uses, you can only obscure the password with Base64 encoding:

eA6RCrpZRy

Does this suffice to you?

@kinou74
Copy link
Author

kinou74 commented Nov 24, 2024
edited
Loading

Should be better than nothing I guess.
The most important thing is that we should be aware that the entered password is stored on the usb key in an unsecured way, should be a generic one just for iso deployement purpose, and must be changed right after Windows installation.

@CodingWonders
Copy link
Contributor

We've now got passwords obscured with Base64:

Notepad_0SEsjdmoam

Expect this fix to arrive to main soon

CodingWonders added a commit to CodingWonders/winutil that referenced this issue Nov 24, 2024
@CodingWonders
Obscure passwords with Base64 and fix indentation
706f65f 
Fixes ChrisTitusTech#3064
@CodingWonders CodingWonders linked a pull request Nov 24, 2024 that will close this issue
Draft
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[MicroWin] Preparation for 2025 CodingWonders/winutil
2 participants
@kinou74 @CodingWonders