Slashdot Mirror
Crack Windows XP With... Windows 2000
An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."
I have to agree with Microsoft that if the bad guys have physical access to your computer you have some serious problems. however, let's note this scenario.
1. Important computer. Locked down
2. Bad employee, always has to computer for job.
3. Employee "works late" one night
4. Employee brings in Win2K CD
5. Employee hickjacks data to floppy unlogged
6. Employee blackmails company or other bad thigns
I am just amazed that what was secure in 2000 is less secure in XP.
Good ol', silly Microsoft.
This isn't one of them. If I have access to a box physically, I can destroy all of the content with a sledgehammer. I can also mount any partition for any operating system and start messing around. Ever tried booting into rescue mode in Windows? That works too. Use digital security means for digital access, physical means for physical access. That means a security guard and at the very least lock and key.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
that physical access is the best, and sometime the easiest, way to gain control of a computer.
For the most part, I think this may have been more of an oversight on the software engineering team not to come up with all of the possibilities that one could try to gain access to the computer. Still, this should not even remotely be a possibility!!
On Mac OS X it's even easier (isn't everything?): Hold down Command-S while booting to get a root prompt in single-user mode. Or you can boot from an OSX CD and reset the root password.
Remember that on most Linux machines, you can boot from a floppy or CD, mount the hard drive, and do whatever you want, including change the root password or replace system binaries with hacked versions. Of course a PC can be locked down (disable booting from floppy/CD in BIOS, set a CMOS password, padlock the case) while a Mac can't (that I'm aware of), but how many people do that?
If you have physical access to the console, all bets are off. Don't underestimate the importance of physical security.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Although I originally thought "well hey, if your data center isn't secure, and you can't trust your operators, well, you're hosed!"
But then I got to thinking about this a little bit more. Microsoft's primary customer is the one that doesn't have a secure data center. Additionally, it's not out of the ordinary to reboot Windows XP computers.
Just think... I run a small business (about 10 people) and I electronically secure my XP server the best I can.
Then the secretary calls and says "oh, I just installed XYZ for you, so I rebooted the server". OK, no big deal.... that happens all the time.
But THEN, instead of simply rebooting, he manages to steal all of my corporate data...
Ouch!
So those who live in the datacenter might see this as a problem that we solve with physical security. But for the regular small XP shop, well, you just can't have physical security without spending $$$.
Of course, in my shop, we reboot on average once or twice a year. So it's a little harder to reboot with the goal of ripping data. Then again, our operators have root access...
Or just get this ISO and boot, WHAMMO instant access, and it is 100% free, unlike the Windows 2000 CD:
http://www.knopper.net/knoppix/index-en.html
In Linux (also in win) you have many different ways to protect your partitions:
http://koeln.ccc.de/archiv/drt/crypto/linux-disk.h tml
I think that the difference is important; in Linux everybody know the way to mount partitions and retrieve/change the info inside them. In windows it's suppossed you can't do that.
Well if you go local access then I can install a keylogger or change passwords or create users that can get net access on the next reboot. Once you got local the network isn't far behind.
Not that most Linux boxes are any better. Most can be breached with a floppy.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Which leads to a question I've wondered about for a long time:
/home/ filesystem not by default encrypted with the users' passwords?
Why is the
Admittedly this could be rather a processor-strain on servers with thousands of users, but for machines where you don't want people to be able to login to your account with a bootdisk, isn't this rather an oversight?
I just tried this, and it didn't work. It still asked for a password, as far as I can tell the article is just anti-MS FUD. What else could I expect from slashdot? :rolleyes:
Username taken, please choose another one.
In either Windows or Unix, can't I simply boot from a cd or floppy and gain root access? The only thing that makes this exploit interesting is that you can get access to the computer without interrupting normal operation.
Vote for Pedro
Why is the /home/ filesystem not by default encrypted with the users' passwords?
This wouldn't be a bad idea if we made use of the chattr option to set the encropytion bit for files or directories. This could be set as default for the user's home directory and could be toggled off for non sensitive material.
I see a HOWTO brewing...
- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
It looks like you may hot have to boot off of the CD to get access to the system.If this reading is accurate, then even machines with a CMOS password which have been set to boot only from the HD would be vulnerable.
More importantly, it would indicate that there is a back door to the XP security system. If somebody figures out the basis of such a backdoor, it could make for a very nasty virus/worm.
Hopefully, I'm just misreading the whole thing (quite possible).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
It makes me sad that Slashdot is looked upon as representative of Linux geeks.
How incredibly pathetic do you have to be to poke fun at a windows exploit involving local access to the machine? Do you somehow think that Linux isn't just as vunerable? Wasn't it only 2 or 3 months ago that an article was posted here about security ending when a hacker has physical access to a computer?
You Slashdot editors are a sad bunch of zealots. You are doing more harm for Linux advocacy than good. Thank god you're just a bunch of spotty geeks running an unimportant news site - if you took these sort of hypocritical attitudes somewhere which mattered, you'd end up in serious trouble.
Yes, which is why this flaw supposedly exists in XP. It does not exist in W2K.
/. alpha geeks figured that one out). Most likely MS realised how futile all this was and made the XP CD simpler to do troubleshooting.
It is trivial to get around the same thing in 2K also. Here is one simple way - just install another parallel install of 2K and boot into that as Admin, then you have access to all un-encrypted files on the other install. So the CD protection in 2K is nothing at all. Anyone who thinks for 5 mins can get around that (I'm amazed none of the supposed
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
Omnes arx vestrum sunt adiuncta nobis.
They aren't, unless you rooted a DC.