Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM

From: Knouse, Jim (JKnouse@BESTSTAFFTECH.COM)
Date: 02/20/03

  • Next message: Petter Nordahl-Hagen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
    Date:         Thu, 20 Feb 2003 08:39:51 -0600
    From: "Knouse, Jim" <JKnouse@BESTSTAFFTECH.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    This from a message on the WINNT-L list from 2/18:

    Here's an answer from Microsoft on this:

    "According to my research, this issue is because that Windows 2000 Recovery
    Console cannot load
    Windows XP's SAM properly:

    As we know, one of the design purposes of Recovery Console is to repair the
    system once the
    disaster happens. For example, the corrupted SYSTEM hive or SAM (which
    stores the local accounts
    information) can corrupt the system. When booting into Recovery Console, it
    will try to load SAM,
    prompt the user to enter the Administrator's password, and then compare the
    password entered to
    SAM. If the SAM cannot be loaded properly in Recovery Console, Recovery
    Console considers it as
    corrupted. Therefore, it allows the user to enter into Recovery Console
    without entering
    Administrator's password to repair the system:

    Recovery Console Starts Without Prompting for a Password
    http://support.microsoft.com/?id=238836

    Due to the changes of SAM in Windows XP, Windows 2000 Recovery Console
    cannot load Windows
    XP's SAM properly. Therefore, Windows 2000 Recovery Console allows the user
    to go into Recovery
    Console without entering password.

    I can truly understand your concerns on this issue. Regarding this issue, I
    have reported it to our
    proper department. Based on their feedback:

    1) Microsoft has investigated this vulnerability report.
    2) Microsoft does not consider this to be a vulnerability at this time.
    3) Having untrusted physical access to the box violates an immutable law of
    security. The Immutable
    Laws of Security can be found here:

    http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp

    You can take the following precautions to mitigate security risks associated
    with someone having
    physical access to a station. However, in the end if untrusted physical
    access cannot be prevented
    the machine would be considered insecure. The following are examples of
    precautions that could be
    taken:

    a) Bios passwords
    b) Using Syskey 2/3
    c) Using EFS
    d) Disabling boot from CD & floppy"

    Jim Knouse

    (But then, of course, I could be wrong...;^)

    -----Original Message-----
    From: Donovan Bernauer [mailto:donovan@DONOVANB.COM]
    Sent: Wednesday, February 19, 2003 3:50 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Article: Windows XP Wide Open Using Windows 2000 CD-ROM

    There's a vulnerability in Windows XP that allows anyone who can modify
    the BIOS to boot from the CD (or to the NIC for RIS/BOOTP systems) and use
    the Windows 2000 cd-rom version of the recovery console to freely access
    the files on an XP box, regardless of most of the configured system
    security.

    Although I have used this technique in the past for system building / file
    recovery purposes (OEM files, $winnt$.inf files, and my documents, etc.),
    this is not "my" discovery. I'll point to the source article in the
    second half of this post. It didn't occur to me that this was "new"
    material, but I read an article that made it seem so. For those of you
    that already know about this issue, perhaps this will help you secure your
    systems from it. I'd like to mention that this exploit is really no
    different than pulling a disk out of one system and booting into another
    system and accessing your disk there, or simply loading an OS image with
    NTFS support, but no security support. EFS will keep your files safe, at
    least until someone cracks the key.

    >From my own tests, I can verify that the exploit works to provide access
    to the recovery console, both by using the Windows 2000 cd-rom and with
    Windows 2000 RIS. As to what you can safely do with the recovery cd
    (reset admin passwords, install rootkits, erase logs, etc.), I have not
    tried. What I did try is deleting a secured file (my c:\autoexec.bat with
    admin and system full access - no other permissions) and I also tried
    copying C:\windows\system32\$winnt$.inf to the floppy drive a:, as well to
    my USB flash disk (M-Systems) and I tried manipulating system services
    with ENABLE command. The file deletion was successful - so this exploit
    can bypass NTFS permissions. The good news is that it respects the
    security policy setting for Floppy Copy:
    (HKLM\SOFTWARE\MICROSOFT\WINDOWS
    NT\CURRENTVERSION\SETUP\RECOVERYCONSOLE\SETCOMMAND=0). This means that
    you can only copy data to a local (not removable) disk. If you try a
    removable disk, you get an access denied message. The exploit also does
    not seem to be able to read the system services on my machines.

    I think this is really embarrassing. The only difference between this and
    just loading another OS to do the same thing, is that this is VERY easy.
    Just remember that the only secure data on a secure network is on the
    servers (Win2K). At least those can be tightly controlled. I couldn't
    believe I spent months perfecting my security policies for XP, with RIS
    installations and syskey, etc. and then something as easy as this came
    along. Since the Windows 2000 recovery console cannot "read" the XP
    system, it just skips it. I'd think the only way to fix this would be to
    modify the XP SAM so as to leave a trail of bread crumbs for the Win2K RC
    so that it can find the information in the SAM file and ask for
    administrator login. Nice going MS.

    Donovan Bernauer

    P.S. Here is the article that I read which prompted me to send this
    report:

    >From http://www.wininformant.com/Articles/Index.cfm?ArticleID=38072.

    ARTICLE INFORMATION
    InstantDoc ID: 38072

    February 19, 2003 | Mark Joseph Edwards
    Windows XP Wide Open Using Windows 2000 CD-ROM

    An interesting glitch has turned up in Microsoft's Windows XP OS.
    According to a report published in a newsletter ("Brian's Buzz on
    Windows") from http://briansbuzz.com, an intruder can access an XP system
    without restriction by simply using a Windows 2000 CD-ROM to launch a
    Recovery Console.

    According to newsletter publisher Brian Livingston, one of his readers,
    Tony DeMartino, alerted him to the problem. Livingston says that once a
    user launches a Recovery Console on an XP system by using a Win2K CD-ROM,
    the user has complete administrative access to the system, without the
    need for a password. The user can then copy any files on the system to
    removable media, which usually isn't allowed without a password. The user
    can also perform other actions on the system with full administrative
    privileges.

    Livingston said he notified Microsoft about the problem several weeks ago
    but hasn't received a response to date. Livingston acknowledges
    Microsoft's long-known stance that "if a bad guy has unrestricted physical
    access to your computer, it's not your computer anymore," but points out
    that complete system access shouldn't be as simple as obtaining a Win2K
    CD-ROM to use as the keys to the front door.

    Windows & .NET Magazine reporter Ken Pfeil tested this scenario and found
    that the process does in fact work as stated. As Livingston pointed out in
    his newsletter, until Microsoft fully addresses this matter, users should
    keep an even closer eye on their computers. Little can be done to prevent
    this sort of intrusion, except to physically secure your computers.

    END OF ARTICLE

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Help Please!!!! WINDOWSsystem32configSYSTEM
      ... Microsoft Windows XP Professional ... When you attempt to log on to Recovery Console in Windows XP by typing the correct password for the local Administrator account, Recovery Console may display the following error message: ... I suggest you try a repair install- which is ...
      (microsoft.public.windowsxp.general)
    • Re: Unmountable Boot Volume AND Session3 Initialization Failed
      ... I choose 'Start Windows Normally' and the Windows Logo Boot screen appears and simulate loading the OS as it always has before my system crashed. ... When I boot to that slipstreamed Windows XP Install CD, I do not receive any prompts from PGP nor do I have to login. ... So, effectively, you are in a catch 22 situation, you cannot remove encryption unless you boot with the hard disk yet you need to boot to the CD to run the Recovery Console but the RC cannot do anything on the encrypted disk. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: XP SP2 blows up my box
      ... Microsoft WindowsRecovery Console ... The Recovery Console provides system repair and recovery functionality. ... It can't find any windows installation. ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: Help with Recovery
      ... Now i have gone through the procedure to get to the recovery console using ... both Windows XP Home and Windows XP Professional and i am having no problems ... The repair option, which once again you are unable to use, would ... brings me to a complete new install. ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: Harddisk Problems
      ... To start the Recovery Console, start the computer from the Windows 2000 ... Setup CD or the Windows 2000 Setup floppy disks. ... | Source: Application Popup ... | Application popup: SyncBack.exe - Corrupt File: The file or directory ...
      (microsoft.public.win2000.advanced_server)