lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3B5E7DD5ED2A9141ABFD64BB3460069A014485@mail2.kpcom.com>
Date: Tue, 28 Jun 2005 12:44:13 -0700
From: "Michael Hasse" <MichaelH@...om.com>
To: "James Bender" <jbender@...llins.com>,
	"Michael Scheidell" <scheidell@...nap.net>,
	<bugtraq@...urityfocus.com>
Cc: <security@...l.com>,
	<vulnwatch@...nwatch.org>,
	<cert@...t.org>,
	<security@...l.com>
Subject: RE: [VulnWatch] Blank Administrator password in DELL XP Professional install

This is also incredibly old news - it made the rounds years ago when XP
was still in Beta and then again when it was officially released.
   Is there a mailinglist glitch somewhere that's resending past
articles or something...?

-----Original Message-----
From: James Bender [mailto:jbender@...llins.com] 
Sent: Monday, June 27, 2005 8:09 PM
To: Michael Scheidell; bugtraq@...urityfocus.com
Cc: security@...l.com; vulnwatch@...nwatch.org; cert@...t.org;
security@...l.com
Subject: RE: [VulnWatch] Blank Administrator password in DELL XP
Professional install

This is not a vulnerability on just DELL machines.  This is a default
out of the box configuration for any Windows XP Pro, or Windows 2003
Operating System, regardless of type (I.E - OEM, Open, or Retail Box).
 
The real vulnerability to be exposed in something like this is the fact
that Microsoft sets up a "back door" support account on all instances of
Windows XP.  Albeit disabled, this can lead to security risks if the
administrator disables the account.
 
Some Machines implement a local security policy that prevents the local
administrator from logging on locally, and only allowing the "USERS" to
log in to the machine.
 
Like I said before, it's not a "DELL" issue.  Perhaps DELL is being
targeted since the OEM software defaults that way.  I have installed
Windows XP fresh from Open, OEM, or Retail, and experience the same
thing.  Null Password on Administrator account.  

-JB

________________________________

From: Michael Scheidell [mailto:scheidell@...nap.net]
Sent: Mon 6/27/2005 1:08 PM
To: bugtraq@...urityfocus.com
Cc: security@...l.com; vulnwatch@...nwatch.org; cert@...t.org;
security@...l.com
Subject: [VulnWatch] Blank Administrator password in DELL XP
Professional install



Vulnerability in DELL Windows XP Professional - default hidden
Administrator account allows local Administrator access

Systems: DELL(tm) Laptops with Windows(tm); Professional
Vulnerable: DELL Laptops with pre installed Microsoft Windows XP
Professional SP2
Not Vulnerable: DELL Laptops with Retail Microsoft Windows XP
professional, RTM, SP1 and SP2
Severity: High
Category: Unauthorized Administrator Access
Classification: Default Authentication
BugTraq-ID: tbd
CVE-Number: CAN-1999-0504
Remote Exploit: Maybe
Local Exploit: Yes
Vendor URL: www.dell.com
Author: Michael Scheidell, SECNAP Network Security
Internal Release date: May 31, 2005
Notifications: May 31, 2005, Emailed various security and cert addresses
at DELL
Vendor Response: June 7, 2005: Dell Emailed and requested more
information
SECNAP response: June 7, 2005: Sent Dell serial number and service tag
code on test system
Additional Contact: Emailed Dell on June 14, 2005 to request status
Additional Contact: Emailed Dell on June 21, 2005 to request status,
cc'd original cert and security addresses
FBI Infragard Release: June 24, 2005
Public Release Date: June 27, 2005

Problem:

DELL OEM XP Processional has a default hidden administrator account.
Use of this account will allow anyone with physical access to the
computer to fully control the computer, add spyware, keystroke loggers,
password stealing software and read all files, including temp files,
local files, documents, and any email that has been stored locally.

DELL does not inform the installer of this account, nor give them the
option of putting a password on this account. If a savvy installer finds
the function to change the password for the Administrator account, they
are warned that they could lose data. Security best practices REQUIRE a
password on all administrative (and root) accounts.

See Dell web site on passwords:
Do's: Do's Use passwords with 6 or more characters
Do NOT's: Do not use passwords shorter then 6 characters[mss: I assume
this means blank Administrator passwords also]
http://support.dell.com/support/topics/global.aspx/support/security/secu
rity_2?c=us&cs=19&l=en&s=dhs&~tab=3
There is also a link to Microsoft's Web site on Dell's site
http://www.microsoft.com/smallbusiness/issues/technology/security/5_tips
_for_top_notch_password_security.mspx

Because DELL marketing directly targets large publicly traded
businesses, government agencies, and research organizations, these
systems are used in regulated industries. Healthcare organizations must
be HIPAA compliant; financial institutions must follow GLBA regulations;
publicly traded firms are required to adhere to the Sarbanes-Oxley Act;
federally funded educational organizations are regulated by FERPA, and
government agencies must comply with FISMA regulations. With such
organizations comprising  a major portion of DELL's market share, it
would be advantageous to ensure that products incorporated into DELL
systems would help achieve compliance with such regulations. 

Note: this is similar to the problem found on IBM workstations in
August, 2004 and fixed by IBM with SP2 release:

See: http://www.secnap.com/alerts.php?pg=5

This may not be the first report of this behavior. If others have
reported on this issue before, please let us know: however, we searched
the CVE database and only  found a distantly related problem dating back
to 1999 where there is a warning against default, missing or weak
administrator passwords.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-1999-0504 to this issue. This is a candidate for inclusion in
the CVE list (<http://cve.mitre.org>), which standardizes names for
security problems.

A retail setup implementation of Microsoft Windows XP Professional
Edition, "Out-of-Box Experience" (OOBE), requires that the installer be
given the option to add an Administrator account. During the
installation, the XP Installer states : "You must provide a name and an
Administrator password for your computer. Setup creates a user account
called Administrator. You use this account when you need full access to
your computer." While setup will not require that a password actually be
entered, it does stress that one SHOULD be entered. Additionally, the
user is prompted to create a regular user account for general use.

In contrast, the DELL setup implementation of Microsoft Windows XP
Professional Edition does not include such steps. The existence of an
administrator account is never mentioned. Instead, the setup asks: "Who
will use this computer? Type the name of each person who will use this
computer. Windows will create a separate user account for each person so
you can personalize the way you want Windows to organize and display
information, protect your files and computer settings, and customize the
desktop. These names will appear on the Welcome screen in alphabetical
order. When you start Windows, simply click your name on the Welcome
screen to begin. If you want to set passwords and limit permissions for
each user, or add more user accounts after you finish setting up
Windows, just click CONTROL PANEL in the START menu, and then click USER
ACCOUNTS." By default, none of the accounts added in this step have
passwords. Nor is their an option to set passwords during the install.
While this is not unique to the IBM install, it is a known weakness in
the Windows XP OOBE, including retail and OEM versions. Because the
Administrator account was never requested, this leaves the system in a
very vulnerable state.

Local Exploit :
If Windows XP Professional is installed as part of a Windows Domain, the
user selection menu is absent . If there is a user menu, hit
<ctl><alt><del><ctl><alt><del> to pull the menu up

Type 'Administrator' in the Username Box.
Leave the Password Box Empty.
If there is a domain in the Domain Box, change it to the local computer
Hit Enter
You now have full control over this system and can install keystroke
loggers, capture passwords, install network sniffers, browse (and
change) cookies of the users, read and copy any local documents or files

Remote Exploit:
Remote exploit is not possible unless someone changed the security
feature that disabled network access for accounts with blank passwords
If remote access is possible, use MACHINENAME/Administrator as the user
authentication when connecting to the $SYSTEM or $C share.
If you gain access, you can remotely load, install, read, take over the
computer.

Work Around
By using the Computer Management application and looking under 'System
Tools->Local Users and Groups->Users', we see that the Administrator
account has been added and enabled. This account IS NOT
password-protected. If the installer sets a password for EVERY user
shown under the User Accounts tool in the Control Panel, THE DEFAULT
ADMINISTRATOR ACCOUNT STILL EXISTS WITH NO PASSWORD.

The Installation Setup never informed the user that the account existed.
If a user attempts to manually set a password for the Administrator
account, they are greeted with the following warning: "Password for
Administrator: Resetting this password might cause irreversible loss of
information for this user account. For security reasons, Windows
protects certain information by making it impossible to access if the
user's password is reset. This data loss will occur the next time the
user logs off. You should use this command only if a user has forgotten
his or her password and does not have a password reset disk. If this
user has created a password reset disk, then he or she should use that
disk to set the password. If the user knows the password and wants to
change it, he or she should log in, then press CTRL+ALT+DELETE and click
Change Password. For additional information, click Help. [Proceed]
[Cancel] [Help]." This warning exists in all versions of Windows XP, but
it is not presented from the Control Panel Users Accounts tool. If a
password is changed from the Control Panel's User Accounts section, no
such warning is issue; but, again, the Administrator account is hidden
from User Accounts.

In summary, Due to the lack of an Administrative Setup screen for the
DELL Windows XP OOBE flow, it is more difficult for a security-conscious
organization to manage a Windows XP-based DELL environment. In order to
protect a system, several unintuitive additional steps must be taken on
each systems in the environment, despite warnings against taking such
steps.

SECNAP has tested this situation against DELL Windows XP Pro SP2. SECNAP
also recommends that DELL notify all existing registered clients using
the vulnerable systems to upgrade, possibly to a DELL-released patch, or
modified version of SP2, that would additionally address the issues.

Vendor Response
On Jun 7th, 2005, Vendor requested and received serial number, service
tag and OOBEINFO.INI from the test computer
We attempted to contact them again on June 14th, and June 21st. No
response

Credit:
Original alert on IBM Workstation by Jason Lash, SECNAP Network
Security, www.secnap.com, research on DELL Laptops by Michael Scheidell,
SECNAP Network Security.
An original copy of this alert can be found here release:
http://www.secnap.com/alerts.php?pg=8

Copyright:
Above Copyright(c) 2005, SECNAP Network Security Corporation. World
rights
reserved.

This security report can be copied and redistributed electronically
provided it is not edited and is quoted in its entirety without written
consent of SECNAP Network Security Corporation. Additional information
or permission may be obtained by contacting SECNAP Network Security at
561-999-5000
 
   The information contained in this e-mail message may be privileged
and is confidential information intended only for the use of the
recipient, or any employee or agent responsible to deliver it to the
intended recipient.  Any use, distribution, transmittal or
re-transmittal by persons who are not intended recipients of this e-mail
may be a violation of law and is strictly prohibited.  If you have
received this communication in error, please notify the sender
immediately and destroy the original message and all attachments from
your electronic files.
   Kibble & Prentice operates in the State of California under the name
of Kibble & Prentice Holding Company dba/aka Kibble & Prentice Insurance
Agency (0E28835).
 
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ