Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Win2K Pro Exposes System During Installation
From: MJE (markNTSHOP.NET)
Date: Thu Feb 17 2000 - 10:48:10 CST
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-009)"
- Previous message: Simple Nomad: "New Tool for DDoS Defense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
WIN2K PRO EXPOSES SYSTEM DURING INSTALLATION
Reported Feburary 16, 2000 by Stephane Aubert, Stephane.AubertHSC.FR
Microsoft Windows 2000 Professional (Server was not tested)
According to Stephane's report, during the installation process of Win2K Pro
a user can access the ADMIN$ share under the Administrator account without
providing a password. As you know, the ADMIN$ share is mapped by default
into the main Windows operating system root directory.
Stephane confirmed that an Administrator password was in fact defined during
the installation process. However, according to the observations made, the
password did not seem to take affect until after the system had been
rebooted. During the interim period before the reboot a person could connect
to resources using the Administrator account and a blank password. Although
unconfirmed, this condition may imply that the Administrator password could
be changed during that time period as well, effectively locking out the
person that had just performed the install.
The problem would seem to indicate a race condition where an intruder could
manipulate the system during the installation time frame where the network
layer had become active, but the system had not yet been rebooted. During
that period all available system resources would probably be exposed due to
this apparent bug.
Stephane verified the ADMIN$ problem by using the "smbclient" utility that
ships with SAMBA distribution packages. Example output from smbclient is
show below. The "smb:>" prompt at the bottom indicates a successful resource
attachment under the smbclient.
% ./smbclient \\\\WINDOZE\\ADMIN$ -I xxx.yyy.zzz.ttt -U 'administrator' -d
Unable to open configuration file "/usr/local/samba/lib/smb.conf"!
pm_process retuned false
Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it
Domain=[GROAR] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Microsoft has been made aware of the issue and is looking into its details.
No official response was known at the time of this writing.
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net