lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: Colin.Scott at csplc.com (Colin.Scott@...lc.com)
Subject: Vulnerability in IBM Windows XP: default hi	dden
 Administrator account allows local Administrator access

Yes sorry I didnt read it properly.... lets call it  advisory reading 
idiocy on my part... 

I still think its a bit off getting at IBM for this when the XP setup lets 
you add multiple Admin accounts without passwords anyway....  and if 
someone's in your house sitting at your machine you've got a whole 
different set of problems anyway...

Sorry for the mis-reading and thus more list-noise! 

Col.








Stephen Agar <Stephen.Agar@...CC.org> 
16/09/2004 15:16

To
"'Colin.Scott@...lc.com'" <Colin.Scott@...lc.com>, Michael Scheidell 
<scheidell@...nap.net>
cc
bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com, 
full-disclosure-admin@...ts.netsys.com, vuln@...urity-corporation.com, 
vulnwatch@...nwatch.org
Subject
RE: [Full-Disclosure] Vulnerability in IBM Windows XP: default hi dden 
Administrator account allows local Administrator access






>From the advisory:

"Remote Exploit: No

Local Exploit: Yes"

and

"Local: Press CTRL+ALT+DEL,DEL to get a login prompt. Enter user name
'Administrator' and NO PASSWORD and Click OK.

Network: Because remote logins using accounts without passwords is 
disabled,
it is not typically possible to login to the system using RDP or remote
shares."

I think this was covered in the advisory.

--stephen






________________________________

        From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
Colin.Scott@...lc.com
        Sent: Thursday, September 16, 2004 7:16 AM
        To: Michael Scheidell
        Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com;
full-disclosure-admin@...ts.netsys.com; vuln@...urity-corporation.com;
vulnwatch@...nwatch.org
        Subject: Re: [Full-Disclosure] Vulnerability in IBM Windows XP:
default hidden Administrator account allows local Administrator access



        Michael,

        Its my understanding that there is a default policy in Windows XP
that prevents any accounts from being used over the network if they have
blank passwords.  This means the IBM machines are no more vulnerable than
any other XP machine in a "home" setup.

        Correct me if Im wrong.... :)

        Colin.






        "Michael Scheidell" <scheidell@...nap.net>
        Sent by: full-disclosure-admin@...ts.netsys.com

        15/09/2004 23:06


                To
                <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>,
<full-disclosure@...ts.netsys.com>
                cc
                <vuln@...urity-corporation.com>
                Subject
                [Full-Disclosure] Vulnerability in IBM Windows XP: default
hidden Administrator account allows local Administrator access






        Vulnerability in IBM Windows XP default hidden Administrator 
account
allows local Administrator access
        Systems: IBM Workstations, Laptops, etc.
        Vulnerable: IBM Systems with preinstalled Microsoft Windows XP
Professional RTM and SP1
        Not Vulnerable: IBM Systems without Windows XP Professional
        Severity: High
        Category: Unauthorized Administrator Access
        Classification: Default Authentication
        BugTraq-ID: TBA
        CVE-Number: CAN-1999-0504
        Remote Exploit: No
        Local Exploit: Yes
        Vendor URL: www.ibm.com
        Author: Jason Lash, SECNAP Network Security
        Internal Release date: August 6, 2004
        Notifications: August 6, 2004: secure@....com, security@....com,
cert@....com, askibm@...t.ibm.com, support@....com, askibm@...t.ibm.com,
        August 7, 2004: security-alert@...tin.ibm.com, cert@...ibm.com
        Vendor Response: August 13, 2004
        Public Release date: September 15, 2004

        Discussion:
        ----------
        From www.ibm.com
        Innovation for Business Advantage: IBM helps you become more
competitive and on demand by delivering products that offer 
industry-leading
capabilities, improve productivity and reduce the total cost of owning a 
PC.
No other vendor provides as wide a range of PC products, technologies and
software to support on demand businesses than IBM.

        Security: As information technology increases in importance, so do
the number of threats directed against it; a comprehensive security 
strategy
is essential to protect vital data and to ensure continuity of operations.
IBM security solutions will help protect your system and business from
network infiltration, data destruction, information theft and unauthorized
surveillance.

        Problem:
        -------
        IBM OEM XP and XP SP1 contain a default hidden administrator
account.  Use of this account will allow anyone with physical access to 
the
computer to fully control the computer, add spyware, keystroke loggers,
password stealing software and read all files, including temp files, local
files, documents, and any email that has been stored locally.  IBM does 
not
inform the installer of this account, does not give them the option of
putting a password on this account, and if a savvy installer FINDS the
function to change the password for the Administrator account, they are
warned that they could lose data. Security best practices REQUIRE a 
password
on all administrative (and root) accounts.

        Because IBM marketing directly targets large publicly traded
businesses, government agencies, and research organizations, these systems
are used in regulated industries. Healthcare organizations must be HIPAA
compliant; financial institutions must follow GLBA regulations; publicly
traded firms are required to adhere to the Sarbanes-Oxley Act; federally
funded educational organizations are regulated by FERPA, and government
agencies must comply with FISMA regulations. With such organizations
comprising  a major portion of IBM's market share, it would be 
advantageous
to ensure that products incorporated into IBM systems would help achieve
compliance with such regulations.

        OEM Version of Windows XP Professional released by Dell, HP and
others have not shown similar characteristics and has only been observed 
in
IBM OEM installations.

        This may not be the first report of this behavior. If others have
reported on this issue before, please let us know: however, we searched 
the
CVE database and only  found a distantly related problem dating back to 
1999
where there is a warning against default, missing or weak administrator
passwords.

        The Common Vulnerabilities and Exposures (CVE) project has 
assigned
the name CAN-1999-0504
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>to this 
issue.
This is a candidate for inclusion in the CVE list (<http://cve.mitre.org
>),
which standardizes names for security problems.

        A retail setup implementation of Microsoft Windows XP Professional
Edition, "Out-of-Box Experience" (OOBE), requires that the installer be
given the option to add an Administrator account. During the installation,
the XP Installer states : "You must provide a name and an Administrator
password for your computer. Setup creates a user account called
Administrator. You use this account when you need full access to your
computer." While setup will not require that a password actually be 
entered,
it does stress that one SHOULD be entered. Additionally, the user is
prompted to create a regular user account for general use.

        In contrast, the IBM setup implementation of Microsoft Windows XP
Professional Edition does not include such steps. The existence of an
administrator account is never mentioned. Instead, the setup asks: "Who 
will
use this computer? Type the name of each person who will use this 
computer.
Windows will create a separate user account for each person so you can
personalize the way you want Windows to organize and display information,
protect your files and computer settings, and customize the desktop. These
names will appear on the Welcome screen in alphabetical order. When you
start Windows, simply click your name on the Welcome screen to begin. If 
you
want to set passwords and limit permissions for each user, or add more 
user
accounts after you finish setting up Windows, just click CONTROL PANEL in
the START menu, and then click USER ACCOUNTS." By default, none of the
accounts added in this step have passwords. Nor is their an option to set
passwords during the install. While !
        this is not unique to the IBM install, it is a known weakness in 
the
Windows XP OOBE, including retail and OEM versions. Because the
Administrator account was never requested, this leaves the system in a 
very
vulnerable state.

        By using the Computer Management application and looking under
'System Tools->Local Users and Groups->Users', we see that the 
Administrator
account has been added and enabled. This account IS NOT 
password-protected.
If the installer sets a password for EVERY user shown under the User
Accounts tool in the Control Panel, THE DEFAULT ADMINISTRATOR ACCOUNT 
STILL
EXISTS WITH NO PASSWORD.

        The Installation Setup never informed the user that the account
existed. If a user attempts to manually set a password for the 
Administrator
account, they are greeted with the following warning: "Password for
Administrator: Resetting this password might cause irreversible loss of
information for this user account. For security reasons, Windows protects
certain information by making it impossible to access if the user's 
password
is reset. This data loss will occur the next time the user logs off. You
should use this command only if a user has forgotten his or her password 
and
does not have a password reset disk. If this user has created a password
reset disk, then he or she should use that disk to set the password. If 
the
user knows the password and wants to change it, he or she should log in,
then press CTRL+ALT+DELETE and click Change Password. For additional
information, click Help. [Proceed] [Cancel] [Help]." This warning exists 
in
all versions of Windows XP, but it is no!
        t presented from the Control Panel Users Accounts tool. If a
password is changed from the Control Panel's User Accounts section, no 
such
warning is issue; but, again, the Administrator account is hidden from 
User
Accounts.

        In summary, Due to the lack of an Administrative Setup screen for
the IBM Windows XP OOBE flow, it is more difficult for a 
security-conscious
organization to manage a Windows XP-based IBM environment. In order to
protect a system, several unintuitive additional steps must be taken on 
each
systems in the environment, despite warnings against taking such steps.

        SECNAP has tested this situation against IBM Windows XP RTM, as 
well
as IBM Windows XP SP1. The vulnerability has existed since IBM began
shipping systems with Windows XP. Due to the recent release of XP SP2, an
opportunity exists for IBM to remedy this issue in a timely fashion. 
SECNAP
also recommends that IBM notify all existing registered clients using the
vulnerable systems to upgrade, possibly to a IBM-released patch, or 
modified
version of SP2, that would additionally address the issues.

        Exploit:
        -------
        Local: Press CTRL+ALT+DEL,DEL to get a login prompt. Enter user 
name
'Administrator' and NO PASSWORD and Click OK.
        Network: Because remote logins using accounts without passwords is
disabled, it is not typically possible to login to the system using RDP or
remote shares.

        Mitigation:
        ----------
        Under control panel, go to Administrative Tools. Open Computer
Management. Go to System Tools->Local Users and Groups->Users. Set a
password for the administrator account. Set a password for all other users
accounts.

        Vendor Response: 8/13/2004
        ---------------
        IBM is cooperating with SECNAP concerning these issues. The IBM 
plan
of action is as follows:

        Release a patch to our manufacturing lines that will change the
preload to include the standard Microsoft Windows "Set an Administrator
Password" Screen as part of the Microsoft Windows XP "Out-of-Box
Experience." These are the standard screens defined by Microsoft for OEMs 
to
display during first boot. This patch will be cut into manufacturing 
during
September with all world-wide systems and languages being updated no later
than the end of October. This will include both SP1 and SP2 systems (SP1
will be phased out rapidly as Microsoft releases the different language
versions to OEMs).

        Provide a "Tip" on the IBM Support Web Site explaining the 
potential
for an Administrator account with no password to be set up and with 
detailed
instructions on how to correct this.

        Deliver a Message via the IBM Message Center to inform customers 
of
a potential exposure and providing the same detailed instructions on how 
to
correct this. Customers must "Opt In" to get message center messages.

        Credit:
        ------
        Jason Lash, SECNAP Network Security, www.secnap.com

        Original copy of this report (once published) can be found here
        <http://www.secnap.com/security/20040806.html>

        Copyright:
        Above Copyright(c) 2004, SECNAP Network Security Corporation. 
World
rights reserved.

        This security report can be copied and redistributed 
electronically
provided it is not edited and is quoted in its entirety without written
consent of SECNAP Network Security Corporation. Additional information or
permission may be obtained by contacting SECNAP Network Security at
561-999-5000

        _______________________________________________
        Full-Disclosure - We believe in it.
        Charter: http://lists.netsys.com/full-disclosure-charter.html



****************************************************************************
**********

        This e-mail is confidential and may contain privileged 
information.
If you
        are not the addressee or if you have received the e-mail in error,
it may
        be unlawful for you to read, copy, distribute, disclose or 
otherwise
use the
        information which it contains. Under these circumstances, please
notify
        us immediately by returning this mail to 'mailerror@...lc.com' and
deleting
        this e-mail from your system.

        Any views expressed by an individual within this e-mail do not
necessarily
        reflect the views of Cadbury Schweppes Plc or its subsidiaries.
Cadbury
        Schweppes Plc will not be bound by any agreement entered into as a
result
        of this email, unless its intention is clearly evidenced in the 
body
of the email.
        Whilst we have taken reasonable steps to ensure that this e-mail 
and
        attachments are free from viruses, recipients are advised to 
subject
this mail
        to their own virus checking, in keeping with good computing
practice. Please
        note that email received by Cadbury Schweppes Plc or its
subsidiaries may be
        monitored in accordance with the prevailing law in the United
Kingdom.


****************************************************************************
**********


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040916/ff79aa0e/attachment.html

Powered by blists - more mailing lists