Slashdot Mirror
Crack Windows XP With... Windows 2000
An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."
It is generally assumed that if you have console access to the machine, you can breach the security and acquire root. Many systems allow you to do this, deliberately.
You can make a nice Linux boot-floopy or boot-cd to do the same thing.
Test your net with Netalyzr
Anyone in the security industry worth their salt knows that physical security is the FIRST step to securing a box. If someone (hacker) can walk up to a machine a press the power button to force a reboot, you've already got a denial of service (if the machine is processing something important, that is). Anything beyond is just icing on the cake.
Yes, my girlfriend is a BitchX
This is a non story. If you can sit in front of a linux box you can do the same thing. Just boot into maintenance/init 1 and go crazy.
Tequila: It's not just for breakfast anymore!
I have to agree with Microsoft that if the bad guys have physical access to your computer you have some serious problems. however, let's note this scenario.
1. Important computer. Locked down
2. Bad employee, always has to computer for job.
3. Employee "works late" one night
4. Employee brings in Win2K CD
5. Employee hickjacks data to floppy unlogged
6. Employee blackmails company or other bad thigns
I am just amazed that what was secure in 2000 is less secure in XP.
Good ol', silly Microsoft.
This isn't one of them. If I have access to a box physically, I can destroy all of the content with a sledgehammer. I can also mount any partition for any operating system and start messing around. Ever tried booting into rescue mode in Windows? That works too. Use digital security means for digital access, physical means for physical access. That means a security guard and at the very least lock and key.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
that physical access is the best, and sometime the easiest, way to gain control of a computer.
For the most part, I think this may have been more of an oversight on the software engineering team not to come up with all of the possibilities that one could try to gain access to the computer. Still, this should not even remotely be a possibility!!
"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."
Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.
This sounds particularly bad, as I'm assuming that it allows you to get by the NTFS filesystem-level encryption. This feature is *supposed* to allow you to encrypt files, and make it impossible for others to decrypt, even if they steal your drive, reinstall Windows on it, etc.
If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!
So, is a windows 2000 install disk now illegal under the DMCA as a circumvention device?
An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.
Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.
I see alot of "I can boot linux into matnience mode and do whatever I want" and physical access restrictions etc...
All true but, the application of XP was for desktop use -> Server Use. Linux (don't flame) is being primarily used for backend server systems. I don't see many secretaries choosing what boot level to start up in the morning.
XP was supposed to provide a secure desktop enviroment for a networked organization (Enterprise Offices, Schools, Universities, Etc..)
The fact that I can walk up to any (supposedly) secure desktop (that access isn't always tightly safegaurded) and gain Administrative Access (usually meaning also access to your entire network behind the firewall) is a big deal. Especially since it requires nothing less than the previous version of the software.
Look more carefully at the big picture before spouting off the party line....
Why not just use one of *several* NT password recovery disks? They work on XP, as well. I've used this one to bust into several Win2k Pro machines we'd forgotten the password for.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Hey look everybody, Linux has a hole too!
At the grub prompt:
boot: linux single
duh!
Seriously, how is this news? Nearly every system I've worked with can be comprimised with access to the physical box.
*yawn*
"...In your answer, ignore facts. Just go with what feels true..."
Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.
Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.
But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.
Although I originally thought "well hey, if your data center isn't secure, and you can't trust your operators, well, you're hosed!"
But then I got to thinking about this a little bit more. Microsoft's primary customer is the one that doesn't have a secure data center. Additionally, it's not out of the ordinary to reboot Windows XP computers.
Just think... I run a small business (about 10 people) and I electronically secure my XP server the best I can.
Then the secretary calls and says "oh, I just installed XYZ for you, so I rebooted the server". OK, no big deal.... that happens all the time.
But THEN, instead of simply rebooting, he manages to steal all of my corporate data...
Ouch!
So those who live in the datacenter might see this as a problem that we solve with physical security. But for the regular small XP shop, well, you just can't have physical security without spending $$$.
Of course, in my shop, we reboot on average once or twice a year. So it's a little harder to reboot with the goal of ripping data. Then again, our operators have root access...
But the thing is probably that micro$oft said this thing would be impossible since winxp is so secure. Whatever.
Ciryon
This gives you LOCAL administrator access. Meaning, you can do what you want on THAT system. It doesn't give you the keys to the whole network. Just like rooting a Linux workstation doesn't mean you just rooted everything on the network.
Posted by timothy on Saturday February 15, @03:27PM
from the if-you're-denser-than-dark-matter dept.
An anonymous reader (really timothy) writes "According to this story seen on Slashdot this morning, any moron can get postings onto slashdot. Turns out, access to a fucking keyboard and timothy at the queue is all that is needed to bypass all (well, most) of the story submission process features in slashdot. An idiot can write up completely bland and stupid observations, and Timothy will post them. This method even allows the most moronic story to get posted on a Saturday, something which normally the staff at slashdot reserves for Tuesday."
Never has my sig been more correct:
"...In your answer, ignore facts. Just go with what feels true..."
but even in 2k you could just use the physical access to reset the admin pwd.
Ditto any linux I've used for that matter.
By trying to claim that this is somehow a win for Linux, you are simply proving your that you are willing to ignore facts when advocating Linux. This makes you just as bad as Microsoft's marketing drones.
An attacker with only local access to the machine and a sledgehammer is capable of launching a permanent denial of service attack on the box.
I know for a fact this works with Windows XP, but I presume this vulnerability exists in other OS's.
Or just get this ISO and boot, WHAMMO instant access, and it is 100% free, unlike the Windows 2000 CD:
http://www.knopper.net/knoppix/index-en.html
Simply disable cdrom and floppy boot in the BIOS and set a password so these settings can't be changed. Sure people can still get at data by taking apart the box but that becomes a bit more obvious in a public or office environment.
You might have a little trouble doing that, because XP prefers (and usually forces you,) to use the NT file system.
I have seen NTFS read support in linux, but I have yet to see reliable NTFS write support. --Xtraneous
.noitacidem deen uoy siht daer nac uoy fI
This is only one option if you have physical access to the machine. Check out some of the tools on http://www.sysinternals.com; especially the NTFS DOS file system driver. If you have access to the machine you can boot off a floppy and use the driver manipulate the file system. They also make some really cool recovery tools you can use to get to systems via a serial connection and recover them.
This space for rent.
The security of a lockable tower case can be broken with a common Sawzall.
Ashcroft declares possesion is a terrorist computer crime.
KFG
So ideally, most organizations with Win2K domains aren't allowing users to store sensitive information locally. If they are, hopefully it is being encrypted. For those with standalone workstations or workgroups, the risk is quite high.
All of this assumes that the infiltrator has physical access, regardless of whether that individual is trusted or not.
http://home.eunet.no/~pnordahl/ntpasswd/u t that karma right here.
(o)---P
Well if you go local access then I can install a keylogger or change passwords or create users that can get net access on the next reboot. Once you got local the network isn't far behind.
Not that most Linux boxes are any better. Most can be breached with a floppy.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
I just tried this, and it didn't work. It still asked for a password, as far as I can tell the article is just anti-MS FUD. What else could I expect from slashdot? :rolleyes:
Username taken, please choose another one.
And with Norton Ghost, a floppy bootdisk, and a server set up somewhere else, you can make an exact copy of any hard drive/partition to a remote computer. This isn't big news. This is just the reality that physical access is a security hole.
who take the fun out of everything. Now I have to wait for a new story to get snippy over something.
KFG
I booted Knoppix. It saw the NTFS partitions fine. The disks appeared on the Knoppix desktop. I opened an FTP connection to another machine, copied off the important files, and was done.
I will ALWAYS have a copy of Knoppix around.
I'm Rick James with mod points biatch!
In either Windows or Unix, can't I simply boot from a cd or floppy and gain root access? The only thing that makes this exploit interesting is that you can get access to the computer without interrupting normal operation.
Vote for Pedro
Wow -- as much as I'm, well, a Mac man now (w/ Linux holding all the keys and data :) ...
... wow, I can COMPLETELY copy somebody elses computer. Oh my! ...we *all* know how seriously flawed Windows security it, but come on -- this is a non-issue. Put me on the console of a Cray and I can "hack" into it too in about 5 minutes.
I too just booted my Mac into single user mode and can access EVERYTHING. Oh my!
Give me any Mac and putting it in 'T'ransfer mode
Silly me.
Is it fascism yet?
- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
It looks like you may hot have to boot off of the CD to get access to the system.If this reading is accurate, then even machines with a CMOS password which have been set to boot only from the HD would be vulnerable.
More importantly, it would indicate that there is a back door to the XP security system. If somebody figures out the basis of such a backdoor, it could make for a very nasty virus/worm.
Hopefully, I'm just misreading the whole thing (quite possible).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
The Common Criteria Evaluation Assurance Level 4 evaluation given to Windows 2000 only means that Microsoft followed some kind of software engineering methodology when designing and implementing Windows 2000. In fact, the operating system protection profile Microsoft used describes a non-hostile environment (e.g. no viruses, no malicious employees, etc). Jonathan Shapiro said it best in Understanding the Windows EAL4 Evaluation:
Definitely one for the sig quote file.I'm proud of my Northern Tibetian Heritage
Have you -read- the DMCA? Do you think the primary purpose of Windows 2000 was to be a circumvention device of Windows XP (which wasn't even released yet?)
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--
`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
Everyone is ranting about if you have physical access you can just rip out the hdd and get whatever is on it.
But in some conditions, say in a university computer lab where the computers are locked down, and monitored by surveillance video, its a little hard to do that without causing a rise in the security dept.
With something like this, I can walk in, toss in the CD, and install backdoors at will.
It makes me sad that Slashdot is looked upon as representative of Linux geeks.
How incredibly pathetic do you have to be to poke fun at a windows exploit involving local access to the machine? Do you somehow think that Linux isn't just as vunerable? Wasn't it only 2 or 3 months ago that an article was posted here about security ending when a hacker has physical access to a computer?
You Slashdot editors are a sad bunch of zealots. You are doing more harm for Linux advocacy than good. Thank god you're just a bunch of spotty geeks running an unimportant news site - if you took these sort of hypocritical attitudes somewhere which mattered, you'd end up in serious trouble.
Yes, which is why this flaw supposedly exists in XP. It does not exist in W2K.
/. alpha geeks figured that one out). Most likely MS realised how futile all this was and made the XP CD simpler to do troubleshooting.
It is trivial to get around the same thing in 2K also. Here is one simple way - just install another parallel install of 2K and boot into that as Admin, then you have access to all un-encrypted files on the other install. So the CD protection in 2K is nothing at all. Anyone who thinks for 5 mins can get around that (I'm amazed none of the supposed
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
Omnes arx vestrum sunt adiuncta nobis.
NO!
You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32
If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.
It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).
...
Okay, I've somewhat calmed down now.
Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.
Sheesh...
*sigh*
XP, just like any other os is only as secure as you make it... It's the classic trade off between usability friendlyness and security... It takes weeks to make XP a secure os... the default install is for looking good, which is what sells it in the 1st place... netbios on automatic, terminal services enabled, firewall not, file sharing enabled, internet serices enabled... the only way to make it work is to shut everything off and go *back* in... turn on only the thing you need, and then redo nearly all the local security policies... clt-alt-del log in... fast user swtiching off... encrypt the temp folder, make sure remote desktop is off... rename the adimn account, turn the guest account off, turn show last user name off... it just keeps going and going... the more I think of, the more I feel naked everytime I boot up. Mac OS X seems more secure, but there is always the OS 9 boot and modify issue... where you need to set the system to have a password when booting into it... and open firmware password... you have to *make* it secure... they need to have a "secure install" option for all default installs for these OSes...
||| I still can't believe Parkay's not butter.
they wouldn't let me on the plane last year with a sawzall and a chainsaw,but they didn't find the log splitter.
The answer appears to be that there is no write capability to NTFS in Linux: Linux-NTFS Project
Unless this can be done remotely this is very old news. Every NT/2k/.net admin worth his salt has known this since nt4 if not before. It is the something if you have a slack or gentoo cd and have local access to linux box. There is not much that can be done if you have local access. In my mind this is what is wrong with the security world today. A lot of people taking shit like this to far. This is not an exploit and should not be treated as such. You should note it and not let just anyone have physical access to your network.
As early as Compaq's Deskpro 4000, there was:
- a software-controlled case-lock &
- a case-opened sensor
The box's firmware could be setup to use the
sensed indications that the case had been opened
(with or without use of the s-w-cont'd case-lock)
By the way, has anybody got code that can access
case-opened indicator and/or s-w-cont'd lock, eg
for us in an Open Source OS?
TIA
I suppose the moral is to remove all floppy and CD drives from your corporate PCs. Disabling floppy boot in the BIOS will keep the haX0rs out for about 20 seconds, as this is how long it takes to flip open the case and short out JP1 to reset the BIOS password. If they have to bring their own floppy drive it slows them down a bit more, plus it's rather obvious.
When I am king, you will be first against the wall.
First, of course as long as there is physical access, there is always a way to get at the data. It may be difficult if encrypted etc but there is always a possibility. So for that reason that article was not a big thing, but nice to know anyway.
So. This is how Recovery Console works:
(goes for XP and 2k)
When it starts, it tries to find your windows system.If it finds several (on different partitions for instance), you are promped to which one to log into.
Then it tries to read the relevant registry files for the installation. This is the sam file for user accounts/password, and at least the software hive, which is where it's settings are stored, the settings in the security policy that tells if it should prompt for admin password and also if it should allow full access to the drive and floppies etc. More on that later.
It also need the system hive to make use of the commands which allow changing the list of services to start at boot.
But.. here's the point:
If it can't read the registry (especially the sam file) because it's either corrupt or not there, it will simply go right ahead, since it can't verify any password. This is probably by design.
Now, MS changed the registry file format between 2k and XP! Just a little, in XP they use "real" hashes for the key lookup tables, instead of just the first 4 letters of the name as in 2k.
(it took me some time to find out this when making support for XP on the ntpasswd tool)
Thus.. 2k recovery console (and 2k istelf for that matter) CANNOT READ THE XP REGISTRY at all! And it then falls back to no-password mode. You also cannot change service start parameters with 2k console on XP because of it being unable to read the registry, but NTFS is apparently compatible enough so you can read the files off the disk.
MS has always had inadequate(sp?) recovery options in their OS, "reinstall" is the usual answer when things won't boot properly. I think the recovery console is pretty OK, not quite there yet, but it's better than nothing (like in NT4).
And, yes, IMHO, using the physical access explanation when people pester them about getting to much access on the recovery tools is quite appropriate.