TsInternetUser priv. escalation; blank passwords; service passwords

From: Curt Wilson (netw3_security@hushmail.com)
Date: 12/23/02

Next message: Bojan Zdrnja: "RE: hpd, afb, sc, and sn"

Previous message: Brad Arlt: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 Dec 2002 08:05:32 -0000
From: Curt Wilson <netw3_security@hushmail.com>
To: incidents@securityfocus.com

('binary' encoding is not supported, stored as-is)

What are the circumtances for many of the default accounts
(TsInternetUser, IUSR_, IWAM_, krbtgt, Guest for instance) having blank
passwords? I realize that all of the security checklists, etc. always
recommend disabling the Guest account, etc. but a system I know of has
recently been "hacked" by the attacker adding TsInternetUser into the
administrators group and then using Term Services to login interactively
using the TsInternetUser account. Currently, it appears that the
TsInternetUser account has a blank password. I was under the impression
that the TsInternetUser account was only needed when using TermSvc in
application server mode, and in that case the password is changed
frequently (daily if I recall correctly) by the system, as discussed in a
MS knowledge base Q article. In any other instance the account can be
deleted without breaking anything, based on my experiences so far.

What I don't understand is why some installs I've seen feature blank
passwords and others dont, when the installation process was basically the
same...win2k terminal services in remote administration mode. Installed
from the same media, one system gets a blank password and the other gets a
strong password. Why is this?

I've not found any good docs on this phenomenon but if I've missed them
please help point the way. I'm ruling out the obvious, because I know that
the end user did NOT change any passwords after their installation and
would not have assigned a password to these accounts manually.

On one of my personal lab installs, TsInternetUser is using a strong
password; I've got the 2nd half of the password cracked by using LC4. What
I don't understand is why my clients system featured (ha) a blank password
for this account. I suppose that an audit of the actual processes taking
place when these services are installed could be useful here. It would be
useful for pen testing processes to know the method that the OS uses to
create these passwords. Any tips on this?

I've also noticed blank passwords in various places for the IUSR and IWAM
accounts, as well as a blank password for the krbtgt account on my test AD
domain controller. When attempting to login via TermSvc with krbtgt and a
blank password, a password change prompt comes up, but does not seem to
allow interactive access, perhaps due to the blank password being
the "old" password that the pw change GUI was not accepting? I've tried
using krbtgt in net use commands to test the functionality of this account
and to see what it's limits might be, but I'm still testing. Anyone out
there beat me to this care to share your results?

On a slightly different but related note, is anyone aware of a canned
exploit for IIS or SQL Server that adds the TsInternetUser into the
Administrators group? I've been tasked with discovering the origin of a
specific system attack in a non-hardended system (it does have all the
current patches and hotfixes however, but we all know that's not enough).
The attacker deleted their event viewer logs and cleaned up after
themselves better than most that I've seen. Due to timing logistics I was
unable to get a disk image or any type of memory dump, with the exception
of some stack dumps from SQL Server that happened around the same time as
the penetration. I'm currently analyzing these (and could use some help)
to determine what happened. If anyone is good at analyzing these types of
dumps, or can correlate these dumps with any of the SQL Server exploits, I
would appreciate any assistance.

Thanks
Curt Wilson
Netw3 Security
www.netw3.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Bojan Zdrnja: "RE: hpd, afb, sc, and sn"
Previous message: Brad Arlt: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Blank passwords, TsInternetUser added to Administrators
... recently been "hacked" by the attacker adding TsInternetUser into the ... using the TsInternetUser account. ... What I don't understand is why some installs I've seen feature blank ... as well as a blank password for the krbtgt account on my test AD ...
(Focus-Microsoft)
RE: Blank passwords, TsInternetUser added to Administrators
... The TSInternetUser account allows anonymous access if Terminal Services ... What I don't understand is why some installs I've seen feature blank ...
(Focus-Microsoft)
Re: Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword
... > appears someone logs on via the machine account and then tries to change the ... > It seems as though my security is dong the job, ... The TsInternetUser account is used by the Terminal Services Internet ... Connector Licensing is not enabled. ...
(alt.computer.security)
RE: Terminal Service Question
... Tsinternetuser is like the iuser and iwam accounts. ... Event Category: Account Management ... Target Account Name: TsInternetUser ... Caller User Name: WWW$ ...
(Focus-Microsoft)