question

AlexDanilov-7975 avatar image
0 Votes"
AlexDanilov-7975 asked Viorel-1 commented

Cannot decrypt Unicode password, passed from RDP (need plain password for credential provider)

Just repeating question here - as suggested. Issue with CredIsProtected API

When RDP passes the password to destination PC it is in protected form, something like "@@D...."
We are using following code in order to get plain text password from it:

if (CredIsProtectedW(szPasswordFromRDP, &protectionType))
{
if(protectionType == CredProtected)
{
CredUnprotectW(FALSE, szPasswordFromRDP,...);
// use plain text password in our own Credential provider
}
}

That code works perfectly well when user has ASCII password.
But when there is Unicode password CredIsProtectedW returns CredUnprotected...
Even when we try to "force" conversion with CredUnprotectW by supplying correct plain text length (we know from original password) - it still doesn't work!
Is it some kind of limitation? Or bug? Or it doesn't support all Unicode characters?
Or destination PC should have language installed?

Internally, they look pretty much the same.
ASCII password in protected form: @@D�� gAAAAAnPAAAAAAAAAE1g99rdJVRbxrnfZUZt2eC#VpTLhcq1H
Unicode in protected form: @@D\x07\x08\x0c\n\roAAAAAnPAAAAAAAAgJtBMDyNE3hzbN0ZfPFpvgndNZinjVbLzxsosyvaRNeD

Just in case - specific Unicode plain text password I've used (Japanese Katakana) アセアセアセアセアセ
2 letters repeated 5 times: U+30A2 and U+30BB

windows-api
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Maybe it has sense to execute an experimental call of CredProtectW on corresponding machine to check that it can protect such credentials.

0 Votes 0 ·

0 Answers