Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM
From: Knouse, Jim (JKnouse@BESTSTAFFTECH.COM)
Date: 02/20/03
- Previous message: Geoff Craig: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Maybe in reply to: Donovan Bernauer: "Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Next in thread: Petter Nordahl-Hagen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Feb 2003 08:39:51 -0600 From: "Knouse, Jim" <JKnouse@BESTSTAFFTECH.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This from a message on the WINNT-L list from 2/18:
Here's an answer from Microsoft on this:
"According to my research, this issue is because that Windows 2000 Recovery
Console cannot load
Windows XP's SAM properly:
As we know, one of the design purposes of Recovery Console is to repair the
system once the
disaster happens. For example, the corrupted SYSTEM hive or SAM (which
stores the local accounts
information) can corrupt the system. When booting into Recovery Console, it
will try to load SAM,
prompt the user to enter the Administrator's password, and then compare the
password entered to
SAM. If the SAM cannot be loaded properly in Recovery Console, Recovery
Console considers it as
corrupted. Therefore, it allows the user to enter into Recovery Console
without entering
Administrator's password to repair the system:
Recovery Console Starts Without Prompting for a Password
http://support.microsoft.com/?id=238836
Due to the changes of SAM in Windows XP, Windows 2000 Recovery Console
cannot load Windows
XP's SAM properly. Therefore, Windows 2000 Recovery Console allows the user
to go into Recovery
Console without entering password.
I can truly understand your concerns on this issue. Regarding this issue, I
have reported it to our
proper department. Based on their feedback:
1) Microsoft has investigated this vulnerability report.
2) Microsoft does not consider this to be a vulnerability at this time.
3) Having untrusted physical access to the box violates an immutable law of
security. The Immutable
Laws of Security can be found here:
http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
You can take the following precautions to mitigate security risks associated
with someone having
physical access to a station. However, in the end if untrusted physical
access cannot be prevented
the machine would be considered insecure. The following are examples of
precautions that could be
taken:
a) Bios passwords
b) Using Syskey 2/3
c) Using EFS
d) Disabling boot from CD & floppy"
Jim Knouse
(But then, of course, I could be wrong...;^)
-----Original Message-----
From: Donovan Bernauer [mailto:donovan@DONOVANB.COM]
Sent: Wednesday, February 19, 2003 3:50 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Article: Windows XP Wide Open Using Windows 2000 CD-ROM
There's a vulnerability in Windows XP that allows anyone who can modify
the BIOS to boot from the CD (or to the NIC for RIS/BOOTP systems) and use
the Windows 2000 cd-rom version of the recovery console to freely access
the files on an XP box, regardless of most of the configured system
security.
Although I have used this technique in the past for system building / file
recovery purposes (OEM files, $winnt$.inf files, and my documents, etc.),
this is not "my" discovery. I'll point to the source article in the
second half of this post. It didn't occur to me that this was "new"
material, but I read an article that made it seem so. For those of you
that already know about this issue, perhaps this will help you secure your
systems from it. I'd like to mention that this exploit is really no
different than pulling a disk out of one system and booting into another
system and accessing your disk there, or simply loading an OS image with
NTFS support, but no security support. EFS will keep your files safe, at
least until someone cracks the key.
>From my own tests, I can verify that the exploit works to provide access
to the recovery console, both by using the Windows 2000 cd-rom and with
Windows 2000 RIS. As to what you can safely do with the recovery cd
(reset admin passwords, install rootkits, erase logs, etc.), I have not
tried. What I did try is deleting a secured file (my c:\autoexec.bat with
admin and system full access - no other permissions) and I also tried
copying C:\windows\system32\$winnt$.inf to the floppy drive a:, as well to
my USB flash disk (M-Systems) and I tried manipulating system services
with ENABLE command. The file deletion was successful - so this exploit
can bypass NTFS permissions. The good news is that it respects the
security policy setting for Floppy Copy:
(HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\SETUP\RECOVERYCONSOLE\SETCOMMAND=0). This means that
you can only copy data to a local (not removable) disk. If you try a
removable disk, you get an access denied message. The exploit also does
not seem to be able to read the system services on my machines.
I think this is really embarrassing. The only difference between this and
just loading another OS to do the same thing, is that this is VERY easy.
Just remember that the only secure data on a secure network is on the
servers (Win2K). At least those can be tightly controlled. I couldn't
believe I spent months perfecting my security policies for XP, with RIS
installations and syskey, etc. and then something as easy as this came
along. Since the Windows 2000 recovery console cannot "read" the XP
system, it just skips it. I'd think the only way to fix this would be to
modify the XP SAM so as to leave a trail of bread crumbs for the Win2K RC
so that it can find the information in the SAM file and ask for
administrator login. Nice going MS.
Donovan Bernauer
P.S. Here is the article that I read which prompted me to send this
report:
>From http://www.wininformant.com/Articles/Index.cfm?ArticleID=38072.
ARTICLE INFORMATION
InstantDoc ID: 38072
February 19, 2003 | Mark Joseph Edwards
Windows XP Wide Open Using Windows 2000 CD-ROM
An interesting glitch has turned up in Microsoft's Windows XP OS.
According to a report published in a newsletter ("Brian's Buzz on
Windows") from http://briansbuzz.com, an intruder can access an XP system
without restriction by simply using a Windows 2000 CD-ROM to launch a
Recovery Console.
According to newsletter publisher Brian Livingston, one of his readers,
Tony DeMartino, alerted him to the problem. Livingston says that once a
user launches a Recovery Console on an XP system by using a Win2K CD-ROM,
the user has complete administrative access to the system, without the
need for a password. The user can then copy any files on the system to
removable media, which usually isn't allowed without a password. The user
can also perform other actions on the system with full administrative
privileges.
Livingston said he notified Microsoft about the problem several weeks ago
but hasn't received a response to date. Livingston acknowledges
Microsoft's long-known stance that "if a bad guy has unrestricted physical
access to your computer, it's not your computer anymore," but points out
that complete system access shouldn't be as simple as obtaining a Win2K
CD-ROM to use as the keys to the front door.
Windows & .NET Magazine reporter Ken Pfeil tested this scenario and found
that the process does in fact work as stated. As Livingston pointed out in
his newsletter, until Microsoft fully addresses this matter, users should
keep an even closer eye on their computers. Little can be done to prevent
this sort of intrusion, except to physically secure your computers.
END OF ARTICLE
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Petter Nordahl-Hagen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Previous message: Geoff Craig: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Maybe in reply to: Donovan Bernauer: "Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Next in thread: Petter Nordahl-Hagen: "Re: Article: Windows XP Wide Open Using Windows 2000 CD-ROM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
