Blank passwords, TsInternetUser added to Administrators

From: Curt Wilson (netw3_security@hushmail.com)
Date: 12/23/02

  • Next message: Peter Mercer: "Fw: How to kill OL2000 ability to render html mail" 
    Date: 23 Dec 2002 08:01:45 -0000
From: Curt Wilson <netw3_security@hushmail.com>
To: focus-ms@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    What are the circumtances for many of the default accounts
    (TsInternetUser, IUSR_, IWAM_, krbtgt, Guest for instance) having blank
    passwords? I realize that all of the security checklists, etc. always
    recommend disabling the Guest account, etc. but a system I know of has
    recently been "hacked" by the attacker adding TsInternetUser into the
    administrators group and then using Term Services to login interactively
    using the TsInternetUser account. Currently, it appears that the
    TsInternetUser account has a blank password. I was under the impression
    that the TsInternetUser account was only needed when using TermSvc in
    application server mode, and in that case the password is changed
    frequently (daily if I recall correctly) by the system, as discussed in a
    MS knowledge base Q article. In any other instance the account can be
    deleted without breaking anything, based on my experiences so far.

    What I don't understand is why some installs I've seen feature blank
    passwords and others dont, when the installation process was basically the
    same...I've not found any good docs on this phenomenon but if I've missed
    them please help point the way. I'm ruling out the obvious, because I know
    that the end user did NOT change any passwords after their installation
    and would not have assigned a password to these accounts manually.

    On one of my personal lab installs, TsInternetUser is using a strong
    password; I've got the 2nd half of the password cracked by using LC4. What
    I don't understand is why my clients system featured (ha) a blank password
    for this account. I suppose that an audit of the actual processes taking
    place when these services are installed could be useful here. It would be
    useful for pen testing processes to know the method that the OS uses to
    create these passwords. Any tips on this?

    I've also noticed blank passwords in various places for the IUSR and IWAM
    accounts, as well as a blank password for the krbtgt account on my test AD
    domain controller. When attempting to login via TermSvc with krbtgt and a
    blank password, a password change prompt comes up, but does not seem to
    allow interactive access, perhaps due to the blank password being
    the "old" password that the pw change GUI was not accepting? I've tried
    using krbtgt in net use commands to test the functionality of this account
    and to see what it's limits might be, but I'm still testing. Anyone out
    there beat me to this care to share your results?

    On a slightly different but related note, is anyone aware of a canned
    exploit for IIS or SQL Server that adds the TsInternetUser into the
    Administrators group? I've been tasked with discovering the origin of a
    specific system attack in a non-hardended system (it does have all the
    current patches and hotfixes however, but we all know that's not enough).
    The attacker deleted their event viewer logs and cleaned up after
    themselves better than most that I've seen. Due to timing logistics I was
    unable to get a disk image or any type of memory dump, with the exception
    of some stack dumps from SQL Server that happened around the same time as
    the penetration. I'm currently analyzing these (and could use some help)
    to determine what happened. If anyone is good at analyzing these types of
    dumps, or can correlate these dumps with any of the SQL Server exploits, I
    would appreciate any assistance.

    Thanks

    Relevant Pages

    • TsInternetUser priv. escalation; blank passwords; service passwords
      ... recently been "hacked" by the attacker adding TsInternetUser into the ... using the TsInternetUser account. ... What I don't understand is why some installs I've seen feature blank ... as well as a blank password for the krbtgt account on my test AD ...
      (Incidents)
    • RE: Blank passwords, TsInternetUser added to Administrators
      ... The TSInternetUser account allows anonymous access if Terminal Services ... What I don't understand is why some installs I've seen feature blank ...
      (Focus-Microsoft)
    • Re: Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword
      ... > appears someone logs on via the machine account and then tries to change the ... > It seems as though my security is dong the job, ... The TsInternetUser account is used by the Terminal Services Internet ... Connector Licensing is not enabled. ...
      (alt.computer.security)
    • RE: Terminal Service Question
      ... Tsinternetuser is like the iuser and iwam accounts. ... Event Category: Account Management ... Target Account Name: TsInternetUser ... Caller User Name: WWW$ ...
      (Focus-Microsoft)
    • Re: Kerberos Ticket User
      ... The link below and a paste from it explains more about the krbtgt. ... The krbtgt account is created automatically when a Windows 2000 ... I don't offhand know the answer to your Proxy 2.0 dilemma. ... > way I can think to make that happen is for the Kerberos ticket ...
      (microsoft.public.windows.server.security)