Article: Windows XP Wide Open Using Windows 2000 CD-ROM

From: Donovan Bernauer (donovan@DONOVANB.COM)
Date: 02/19/03

  • Next message: Geoff Craig: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM" 
    Date:         Wed, 19 Feb 2003 13:50:15 -0800
From: Donovan Bernauer <donovan@DONOVANB.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    There's a vulnerability in Windows XP that allows anyone who can modify
    the BIOS to boot from the CD (or to the NIC for RIS/BOOTP systems) and use
    the Windows 2000 cd-rom version of the recovery console to freely access
    the files on an XP box, regardless of most of the configured system
    security.

    Although I have used this technique in the past for system building / file
    recovery purposes (OEM files, $winnt$.inf files, and my documents, etc.),
    this is not "my" discovery. I'll point to the source article in the
    second half of this post. It didn't occur to me that this was "new"
    material, but I read an article that made it seem so. For those of you
    that already know about this issue, perhaps this will help you secure your
    systems from it. I'd like to mention that this exploit is really no
    different than pulling a disk out of one system and booting into another
    system and accessing your disk there, or simply loading an OS image with
    NTFS support, but no security support. EFS will keep your files safe, at
    least until someone cracks the key.

    From my own tests, I can verify that the exploit works to provide access
    to the recovery console, both by using the Windows 2000 cd-rom and with
    Windows 2000 RIS. As to what you can safely do with the recovery cd
    (reset admin passwords, install rootkits, erase logs, etc.), I have not
    tried. What I did try is deleting a secured file (my c:\autoexec.bat with
    admin and system full access - no other permissions) and I also tried
    copying C:\windows\system32\$winnt$.inf to the floppy drive a:, as well to
    my USB flash disk (M-Systems) and I tried manipulating system services
    with ENABLE command. The file deletion was successful - so this exploit
    can bypass NTFS permissions. The good news is that it respects the
    security policy setting for Floppy Copy:
    (HKLM\SOFTWARE\MICROSOFT\WINDOWS
    NT\CURRENTVERSION\SETUP\RECOVERYCONSOLE\SETCOMMAND=0). This means that
    you can only copy data to a local (not removable) disk. If you try a
    removable disk, you get an access denied message. The exploit also does
    not seem to be able to read the system services on my machines.

    I think this is really embarrassing. The only difference between this and
    just loading another OS to do the same thing, is that this is VERY easy.
    Just remember that the only secure data on a secure network is on the
    servers (Win2K). At least those can be tightly controlled. I couldn't
    believe I spent months perfecting my security policies for XP, with RIS
    installations and syskey, etc. and then something as easy as this came
    along. Since the Windows 2000 recovery console cannot "read" the XP
    system, it just skips it. I'd think the only way to fix this would be to
    modify the XP SAM so as to leave a trail of bread crumbs for the Win2K RC
    so that it can find the information in the SAM file and ask for
    administrator login. Nice going MS.

    Donovan Bernauer

    P.S. Here is the article that I read which prompted me to send this
    report:

    From http://www.wininformant.com/Articles/Index.cfm?ArticleID=38072.

    ARTICLE INFORMATION
    InstantDoc ID: 38072

    February 19, 2003 | Mark Joseph Edwards
    Windows XP Wide Open Using Windows 2000 CD-ROM

    An interesting glitch has turned up in Microsoft's Windows XP OS.
    According to a report published in a newsletter ("Brian's Buzz on
    Windows") from http://briansbuzz.com, an intruder can access an XP system
    without restriction by simply using a Windows 2000 CD-ROM to launch a
    Recovery Console.

    According to newsletter publisher Brian Livingston, one of his readers,
    Tony DeMartino, alerted him to the problem. Livingston says that once a
    user launches a Recovery Console on an XP system by using a Win2K CD-ROM,
    the user has complete administrative access to the system, without the
    need for a password. The user can then copy any files on the system to
    removable media, which usually isn't allowed without a password. The user
    can also perform other actions on the system with full administrative
    privileges.

    Livingston said he notified Microsoft about the problem several weeks ago
    but hasn't received a response to date. Livingston acknowledges
    Microsoft's long-known stance that "if a bad guy has unrestricted physical
    access to your computer, it's not your computer anymore," but points out
    that complete system access shouldn't be as simple as obtaining a Win2K
    CD-ROM to use as the keys to the front door.

    Windows & .NET Magazine reporter Ken Pfeil tested this scenario and found
    that the process does in fact work as stated. As Livingston pointed out in
    his newsletter, until Microsoft fully addresses this matter, users should
    keep an even closer eye on their computers. Little can be done to prevent
    this sort of intrusion, except to physically secure your computers.

    END OF ARTICLE

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • Re: Unmountable Boot Volume AND Session3 Initialization Failed
      ... I choose 'Start Windows Normally' and the Windows Logo Boot screen appears and simulate loading the OS as it always has before my system crashed. ... When I boot to that slipstreamed Windows XP Install CD, I do not receive any prompts from PGP nor do I have to login. ... So, effectively, you are in a catch 22 situation, you cannot remove encryption unless you boot with the hard disk yet you need to boot to the CD to run the Recovery Console but the RC cannot do anything on the encrypted disk. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Help with Recovery
      ... Now i have gone through the procedure to get to the recovery console using ... both Windows XP Home and Windows XP Professional and i am having no problems ... The repair option, which once again you are unable to use, would ... brings me to a complete new install. ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: Harddisk Problems
      ... To start the Recovery Console, start the computer from the Windows 2000 ... Setup CD or the Windows 2000 Setup floppy disks. ... | Source: Application Popup ... | Application popup: SyncBack.exe - Corrupt File: The file or directory ...
      (microsoft.public.win2000.advanced_server)
    • RE: STOP 0x51 Registry Error
      ... "nass" wrote: ... to use recovery console or try a repair or even a fresh install. ... I've had no joy in in being able to setup windows, ... Look in the right Pane/window for error message with red or Yellow ...
      (microsoft.public.windowsxp.general)
    • Re: Unmountable Boot Volume?
      ... To answer your first question, yes, I tried running Windows in Safe ... Have you tried uninstalling the "occasional game or desktop utility" ... Do you know how, and do you have, the Recovery Console installed? ... good backups and normally once I've reached an excessive time limit ...
      (microsoft.public.windowsxp.help_and_support)