On Wed, 19 Feb 2003, Donovan Bernauer wrote:

> There's a vulnerability in Windows XP that allows anyone who can modify
> the BIOS to boot from the CD (or to the NIC for RIS/BOOTP systems) and use
> the Windows 2000 cd-rom version of the recovery console to freely access
> the files on an XP box, regardless of most of the configured system
> security.

The reason win2k recovery console just allows access when tried on a XP
system is that there are differences in the registry file format.
XP has a more true hashing of the key indices in the registry than 2k has
(NT4 and 2k use simply the first four characters of the name as the index
"hash") I discovered this when working on support for XP registry write on
my regedit library for linux.

Recovery Console, by design, will let you in with full access if it
can't read the registry and the SAM to get at the admin password.
So recovery console 2k on XP system thinks the registry is corrupt, and
continues to let people recover their system.

I personally think a recovery tool should do just that, "hey, something is
wrong here, oh well, let the user fix it instead of assuming something"

Also, try to load a XP registry hive into regedt32 in 2k, it won't work,
at least not in the original 2k release.

--
Petter Nordahl-Hagen, pnordahleunet.no
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer.  Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]