RE: [VulnWatch] Blank Administrator password in DELL XP Professional install

From: Michael Scheidell (scheidell_at_secnap.net)
Date: 06/28/05

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 06.29.05: Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability"
    Date: Tue, 28 Jun 2005 04:37:39 -0400
    To: "James Bender" <jbender@mcollins.com>, <bugtraq@securityfocus.com>
    
    

    Wrong. read the report. Retail XP pro doesn't have the problem. MANY
    OEM's decided to take a short cut and it bit them.
     
    Wrong, read the report, I already addressed the logging on locally
     
    Wrong, read the report, read the link to the IBM report, IBM fixed it.
     
     

            -----Original Message-----
            From: James Bender [mailto:jbender@mcollins.com]
            Sent: Monday, June 27, 2005 11:09 PM
            To: Michael Scheidell; bugtraq@securityfocus.com
            Cc: security@dell.com; vulnwatch@vulnwatch.org; cert@cert.org;
    security@dell.com
            Subject: RE: [VulnWatch] Blank Administrator password in DELL XP
    Professional install
            
            
            This is not a vulnerability on just DELL machines. This is a
    default out of the box configuration for any Windows XP Pro, or Windows
    2003 Operating System, regardless of type (I.E - OEM, Open, or Retail
    Box).
             
             
            The real vulnerability to be exposed in something like this is
    the fact that Microsoft sets up a "back door" support account on all
    instances of Windows XP. Albeit disabled, this can lead to security
    risks if the administrator disables the account.
             
            Some Machines implement a local security policy that prevents
    the local administrator from logging on locally, and only allowing the
    "USERS" to log in to the machine.
             
            Like I said before, it's not a "DELL" issue. Perhaps DELL is
    being targeted since the OEM software defaults that way. I have
    installed Windows XP fresh from Open, OEM, or Retail, and experience the
    same thing. Null Password on Administrator account.
            
            -JB

      _____

            From: Michael Scheidell [mailto:scheidell@secnap.net]
            Sent: Mon 6/27/2005 1:08 PM
            To: bugtraq@securityfocus.com
            Cc: security@dell.com; vulnwatch@vulnwatch.org; cert@cert.org;
    security@dell.com
            Subject: [VulnWatch] Blank Administrator password in DELL XP
    Professional install
            
            

            Vulnerability in DELL Windows XP Professional - default hidden
    Administrator account allows local Administrator access
            
            Systems: DELL(tm) Laptops with Windows(tm); Professional
            Vulnerable: DELL Laptops with pre installed Microsoft Windows XP
    Professional SP2
            Not Vulnerable: DELL Laptops with Retail Microsoft Windows XP
    professional, RTM, SP1 and SP2
            Severity: High
            Category: Unauthorized Administrator Access
            Classification: Default Authentication
            BugTraq-ID: tbd
            CVE-Number: CAN-1999-0504
            Remote Exploit: Maybe
            Local Exploit: Yes
            Vendor URL: www.dell.com
            Author: Michael Scheidell, SECNAP Network Security
            Internal Release date: May 31, 2005
            Notifications: May 31, 2005, Emailed various security and cert
    addresses at DELL
            Vendor Response: June 7, 2005: Dell Emailed and requested more
    information
            SECNAP response: June 7, 2005: Sent Dell serial number and
    service tag code on test system
            Additional Contact: Emailed Dell on June 14, 2005 to request
    status
            Additional Contact: Emailed Dell on June 21, 2005 to request
    status, cc'd original cert and security addresses
            FBI Infragard Release: June 24, 2005
            Public Release Date: June 27, 2005
            
            Problem:
            
            DELL OEM XP Processional has a default hidden administrator
    account. Use of this account will allow anyone with physical access to
    the computer to fully control the computer, add spyware, keystroke
    loggers, password stealing software and read all files, including temp
    files, local files, documents, and any email that has been stored
    locally.
            
            DELL does not inform the installer of this account, nor give
    them the option of putting a password on this account. If a savvy
    installer finds the function to change the password for the
    Administrator account, they are warned that they could lose data.
    Security best practices REQUIRE a password on all administrative (and
    root) accounts.
            
            See Dell web site on passwords:
            Do's: Do's Use passwords with 6 or more characters
            Do NOT's: Do not use passwords shorter then 6 characters[mss: I
    assume this means blank Administrator passwords also]
            
    http://support.dell.com/support/topics/global.aspx/support/security/secu
    rity_2?c=us&cs=19&l=en&s=dhs&~tab=3
            There is also a link to Microsoft's Web site on Dell's site
            
    http://www.microsoft.com/smallbusiness/issues/technology/security/5_tips
    _for_top_notch_password_security.mspx
            
            Because DELL marketing directly targets large publicly traded
    businesses, government agencies, and research organizations, these
    systems are used in regulated industries. Healthcare organizations must
    be HIPAA compliant; financial institutions must follow GLBA regulations;
    publicly traded firms are required to adhere to the Sarbanes-Oxley Act;
    federally funded educational organizations are regulated by FERPA, and
    government agencies must comply with FISMA regulations. With such
    organizations comprising a major portion of DELL's market share, it
    would be advantageous to ensure that products incorporated into DELL
    systems would help achieve compliance with such regulations.
            
            Note: this is similar to the problem found on IBM workstations
    in August, 2004 and fixed by IBM with SP2 release:
            
            See: http://www.secnap.com/alerts.php?pg=5
            
            This may not be the first report of this behavior. If others
    have reported on this issue before, please let us know: however, we
    searched the CVE database and only found a distantly related problem
    dating back to 1999 where there is a warning against default, missing or
    weak administrator passwords.
            
            The Common Vulnerabilities and Exposures (CVE) project has
    assigned the name CAN-1999-0504 to this issue. This is a candidate for
    inclusion in the CVE list (<http://cve.mitre.org>), which standardizes
    names for security problems.
            
            A retail setup implementation of Microsoft Windows XP
    Professional Edition, "Out-of-Box Experience" (OOBE), requires that the
    installer be given the option to add an Administrator account. During
    the installation, the XP Installer states : "You must provide a name and
    an Administrator password for your computer. Setup creates a user
    account called Administrator. You use this account when you need full
    access to your computer." While setup will not require that a password
    actually be entered, it does stress that one SHOULD be entered.
    Additionally, the user is prompted to create a regular user account for
    general use.
            
            In contrast, the DELL setup implementation of Microsoft Windows
    XP Professional Edition does not include such steps. The existence of an
    administrator account is never mentioned. Instead, the setup asks: "Who
    will use this computer? Type the name of each person who will use this
    computer. Windows will create a separate user account for each person so
    you can personalize the way you want Windows to organize and display
    information, protect your files and computer settings, and customize the
    desktop. These names will appear on the Welcome screen in alphabetical
    order. When you start Windows, simply click your name on the Welcome
    screen to begin. If you want to set passwords and limit permissions for
    each user, or add more user accounts after you finish setting up
    Windows, just click CONTROL PANEL in the START menu, and then click USER
    ACCOUNTS." By default, none of the accounts added in this step have
    passwords. Nor is their an option to set passwords during the install.
    While this is not unique to the IBM install, it is a known weakness in
    the Windows XP OOBE, including retail and OEM versions. Because the
    Administrator account was never requested, this leaves the system in a
    very vulnerable state.
            
            Local Exploit :
            If Windows XP Professional is installed as part of a Windows
    Domain, the user selection menu is absent . If there is a user menu, hit
    <ctl><alt><del><ctl><alt><del> to pull the menu up
            
            Type 'Administrator' in the Username Box.
            Leave the Password Box Empty.
            If there is a domain in the Domain Box, change it to the local
    computer
            Hit Enter
            You now have full control over this system and can install
    keystroke loggers, capture passwords, install network sniffers, browse
    (and change) cookies of the users, read and copy any local documents or
    files
            
            Remote Exploit:
            Remote exploit is not possible unless someone changed the
    security feature that disabled network access for accounts with blank
    passwords
            If remote access is possible, use MACHINENAME/Administrator as
    the user authentication when connecting to the $SYSTEM or $C share.
            If you gain access, you can remotely load, install, read, take
    over the computer.
            
            Work Around
            By using the Computer Management application and looking under
    'System Tools->Local Users and Groups->Users', we see that the
    Administrator account has been added and enabled. This account IS NOT
    password-protected. If the installer sets a password for EVERY user
    shown under the User Accounts tool in the Control Panel, THE DEFAULT
    ADMINISTRATOR ACCOUNT STILL EXISTS WITH NO PASSWORD.
            
            The Installation Setup never informed the user that the account
    existed. If a user attempts to manually set a password for the
    Administrator account, they are greeted with the following warning:
    "Password for Administrator: Resetting this password might cause
    irreversible loss of information for this user account. For security
    reasons, Windows protects certain information by making it impossible to
    access if the user's password is reset. This data loss will occur the
    next time the user logs off. You should use this command only if a user
    has forgotten his or her password and does not have a password reset
    disk. If this user has created a password reset disk, then he or she
    should use that disk to set the password. If the user knows the password
    and wants to change it, he or she should log in, then press
    CTRL+ALT+DELETE and click Change Password. For additional information,
    click Help. [Proceed] [Cancel] [Help]." This warning exists in all
    versions of Windows XP, but it is not presented from the Control Panel
    Users Accounts tool. If a password is changed from the Control Panel's
    User Accounts section, no such warning is issue; but, again, the
    Administrator account is hidden from User Accounts.
            
            In summary, Due to the lack of an Administrative Setup screen
    for the DELL Windows XP OOBE flow, it is more difficult for a
    security-conscious organization to manage a Windows XP-based DELL
    environment. In order to protect a system, several unintuitive
    additional steps must be taken on each systems in the environment,
    despite warnings against taking such steps.
            
            SECNAP has tested this situation against DELL Windows XP Pro
    SP2. SECNAP also recommends that DELL notify all existing registered
    clients using the vulnerable systems to upgrade, possibly to a
    DELL-released patch, or modified version of SP2, that would additionally
    address the issues.
            
            Vendor Response
            On Jun 7th, 2005, Vendor requested and received serial number,
    service tag and OOBEINFO.INI from the test computer
            We attempted to contact them again on June 14th, and June 21st.
    No response
            
            Credit:
            Original alert on IBM Workstation by Jason Lash, SECNAP Network
    Security, www.secnap.com, research on DELL Laptops by Michael Scheidell,
    SECNAP Network Security.
            An original copy of this alert can be found here release:
    http://www.secnap.com/alerts.php?pg=8
            
            Copyright:
            Above Copyright(c) 2005, SECNAP Network Security Corporation.
    World rights reserved.
            
            This security report can be copied and redistributed
    electronically provided it is not edited and is quoted in its entirety
    without written consent of SECNAP Network Security Corporation.
    Additional information or permission may be obtained by contacting
    SECNAP Network Security at 561-999-5000
            


  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 06.29.05: Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability"