Crack Windows XP With... Windows 2000

An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."

So what?

[nweaver (113078)]

It is generally assumed that if you have console access to the machine, you can breach the security and acquire root. Many systems allow you to do this, deliberately.

You can make a nice Linux boot-floopy or boot-cd to do the same thing.

Re:So what?

[lonoak (38287)]

In Linux (also in win) you have many different ways to protect your partitions:

http://koeln.ccc.de/archiv/drt/crypto/linux-disk.h tml [koeln.ccc.de]

I think that the difference is important; in Linux everybody know the way to mount partitions and retrieve/change the info inside them. In windows it's suppossed you can't do that.

Re:So what?

[afidel (530433)]

No it is NOT assumed that partitions can not be mounted, in fact it has been possible to use NTFS for DOS drivers from sysinternals to mount partitions since NT4. That is why if you want security you turn on EFS and encrypt any important directories.

Re:well

[Xtraneous (594376)]

You might have a little trouble doing that, because XP prefers (and usually forces you,) to use the NT file system.

I have seen NTFS read support in linux, but I have yet to see reliable NTFS write support. --Xtraneous

Re:So what?

[NineNine (235196)]

Yes, which is why this flaw supposedly exists in XP. It does not exist in W2K.

Re:So what?

[shamilton (619422)]

This is nothing more than a red herring. If somebody has physical access to your box, then your security has been breached. Passwords aren't going to protect you from having your hard drive removed. An encrypted filesystem, however, will.

sh

Re:So what?

[slaker (53818)]

Tried it this afternoon on one of my 2000 Servers and an XP Pro disc. I was greeted by a password prompt.

The default local security policy on every XP box I have access to seems to require authentication, but at the same time, more than half of the XP boxes I have access to also have an admin-level account that does NOT have a password on it, at all.

Trash

[DoraLives (622001)]

And to think that I was considering giving away my W2000 cd, figuring that it was more or less useless at this stage of the game.

Silly me.

Re:So what?

[dattaway (3088)]

Why is the /home/ filesystem not by default encrypted with the users' passwords?

This wouldn't be a bad idea if we made use of the chattr option to set the encropytion bit for files or directories. This could be set as default for the user's home directory and could be toggled off for non sensitive material.

I see a HOWTO brewing...

Re:So what?

[Forgotten (225254)]

At best you can slow someone down. You have to have the key somewhere in order to mount the filesystem. If I have access to the media, I can find it. If it's in flash ROM somewhere, I can still find it. If it's in the CPU itself, TCPA-style, with physical access I can still eventually find it. Unless the system's only access to its own key is some sort of quantum-encrypted optical fibre, I can eventually reproduce the same access required to actually use the data. And there's an important point here which pervades all of information security - the system cannot discern the difference between legitimate and illegimate uses, because the illegitimate user can imitate the legitimate one to any degree required (further because the difference between them is social, not technical). This is true of a buffer overflow as of breaking in to a hosting facility and removing a hard drive.

Physical access means complete access, particularly where the attacker has the ability to interrupt the system's operation (as here, where a reboot is implied). This is why information security necessarily comprises physical security (and lets not even get into social engineering attacks while the system is already running.

Encrypted filesystems are useful for archival storage and transport of data, though. The problem starts, as always, when you want to take them out of the vault in the concrete block at the bottom of the lake and actually use them. ;)

Re:So what?

[error0x100 (516413)]

1) You can password protect the bios and set it so it only boots off the designated hard drive.

Meaningless. If someone has physical access to your machine, the BIOS can be reset by connecting a jumper in the box.

2) You can configure both grub and lilo so you can't change the default boot level without a password.

Meaningless. If someone has physical access to your machine, they just connect the hard disk as non-primary in another Linux machine, and mount the drive.

3) The Linux kernel supports efs (encrypted file system) through the loop back device. Choose you're favorite method of encryption: triple des, serpent, aes,....

Ah, thats better.

Re:So what?

[lseltzer (311306)]

>>Hence option 1

Hence there is no difference in this regard between Windows and every other operating system.

And as usual...

[vslashg (209560)]

...if someone has physical access to your machine, all other security is off.

not losing security

[www.sorehands.com (142825)]

If someone has physical access to the machine, the machine and data may be lost, but the data should not get into the wrong hands.

so what

[ZeekWatson (188017)]

I can reboot linux into single user mode without a password also.

The first rule of security is removing console access.

How does this have anything to do with Security?

[tsmit (222375)]

Anyone in the security industry worth their salt knows that physical security is the FIRST step to securing a box. If someone (hacker) can walk up to a machine a press the power button to force a reboot, you've already got a denial of service (if the machine is processing something important, that is). Anything beyond is just icing on the cake.

Silly Microsoft

[goldid (310307)]

I have to agree with Microsoft that if the bad guys have physical access to your computer you have some serious problems. however, let's note this scenario.

1. Important computer. Locked down
2. Bad employee, always has to computer for job.
3. Employee "works late" one night
4. Employee brings in Win2K CD
5. Employee hickjacks data to floppy unlogged
6. Employee blackmails company or other bad thigns

I am just amazed that what was secure in 2000 is less secure in XP.

Good ol', silly Microsoft.

Re:Silly Microsoft

[tshak (173364)]

5. Employee hickjacks data to floppy unlogged

6. Employee finds out that data is all encrypted and is unable to use the data to his/her advantage.

NTFS encryption is available, and much safer means of encrypting your files are also available. Encryption is your only defense against someone who has physical access to your machine.

Windows has numerous security flaws but...

[GreyWolf3000 (468618)]

This isn't one of them. If I have access to a box physically, I can destroy all of the content with a sledgehammer. I can also mount any partition for any operating system and start messing around. Ever tried booting into rescue mode in Windows? That works too. Use digital security means for digital access, physical means for physical access. That means a security guard and at the very least lock and key.

Not a big deal!

[Longinus (601448)]

You can do the same thing to Linux with a boot floppy. Also, Ars [arstechnica.com] is carrying this story, but with the follow observations from readers:

"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."

Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.

Re:Not a big deal!

[tmark (230091)]

You can do the same thing to Linux with a boot floppy.

You do realize, I hope, that the fact that Linux is, and has always been, vulnerable to a boot disk "attack" (just like /.'s other beloved OS, OS X) is irrelevant here, as neither vulnerability outlines the crappiness of Windows.

Goodbye NTFS encryption?

[GraZZ (9716)]

This sounds particularly bad, as I'm assuming that it allows you to get by the NTFS filesystem-level encryption. This feature is *supposed* to allow you to encrypt files, and make it impossible for others to decrypt, even if they steal your drive, reinstall Windows on it, etc.

If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!

DMCA

[_UnderTow_ (86073)]

So, is a windows 2000 install disk now illegal under the DMCA as a circumvention device?

Re:DMCA

[Shelled (81123)]

Apparently so is the F8 key when used during a reboot.

Wannabe slashdot lawyers

[by Anonymous Coward]

Have you -read- the DMCA? Do you think the primary purpose of Windows 2000 was to be a circumvention device of Windows XP (which wasn't even released yet?)

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

umm no..

[Suppafly (179830)]

An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.

Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.

RTFA

[almightyjustin (518967)]

That's true, if you use the CD on a Win2k system. It's apparently different if you use the Win2k CD with an XP system. Notice this line in the article:

Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.

Different Uses

[Peridriga (308995)]

I see alot of "I can boot linux into matnience mode and do whatever I want" and physical access restrictions etc...

All true but, the application of XP was for desktop use -> Server Use. Linux (don't flame) is being primarily used for backend server systems. I don't see many secretaries choosing what boot level to start up in the morning.

XP was supposed to provide a secure desktop enviroment for a networked organization (Enterprise Offices, Schools, Universities, Etc..)

The fact that I can walk up to any (supposedly) secure desktop (that access isn't always tightly safegaurded) and gain Administrative Access (usually meaning also access to your entire network behind the firewall) is a big deal. Especially since it requires nothing less than the previous version of the software.

Look more carefully at the big picture before spouting off the party line....

Sigh.

[NetJunkie (56134)]

This gives you LOCAL administrator access. Meaning, you can do what you want on THAT system. It doesn't give you the keys to the whole network. Just like rooting a Linux workstation doesn't mean you just rooted everything on the network.

And that stops network access how?

[nlinecomputers (602059)]

Well if you go local access then I can install a keylogger or change passwords or create users that can get net access on the next reboot. Once you got local the network isn't far behind.

Not that most Linux boxes are any better. Most can be breached with a floppy.

Re:Sigh.

[sean23007 (143364)]

Having root access on one machine on the network is a good first step for someone who wants to gain more access all over the network. With root access, keylogger services can be installed and run on that computer, logging everyone's username and password who uses that computer. Additionally, packet sniffers can be installed that can do the same for neighboring computers. Just because this doesn't give a hacker total access to the network immediately doesn't mean it isn't a security concern for the network...

-1 Overrated

[Sanity (1431)]

Come on, we know you love Linux but give it up! - Windows is no more or no less vulnerable than Linux when you have console access as has been pointed out repeatedly. If you can gain access to a computer, be it Linux or Windows XP, you can access the data on that computer.

By trying to claim that this is somehow a win for Linux, you are simply proving your that you are willing to ignore facts when advocating Linux. This makes you just as bad as Microsoft's marketing drones.

Re:-1 Overrated

[Tony-A (29931)]

Windows is no more or no less vulnerable than Linux when you have console access as has been pointed out repeatedly.

Windows is vulnerable when you have console access.
Linux is vulnerable when you have console access.
All vulnerabilities are created equal.
Windows is just as vulnerable as Linux. (or CP/M or DOS)

Actually Linux is effectively less vulnerable since people tend to question why it was rebooted. A freshly rebooted Windows system is considered "normal".

Re:Different Uses

[martinflack (107386)]

I don't see many secretaries choosing what boot level to start up in the morning.

I do, where I work. Some days it's high heels, some days its sandals, generally the boot level gets higher at the end of the week... in fact on Friday they're often wearing those sexy "fuck me" high boots in preparation for going out later.

Err...

[Wakko Warner (324)]

Why not just use one of *several* NT password recovery disks? They work on XP, as well. I've used this one [eunet.no] to bust into several Win2k Pro machines we'd forgotten the password for.

- A.P.

Hey look everybody, Linux has a hole too!

[His name cannot be s (16831)]

Hey look everybody, Linux has a hole too!

At the grub prompt:

boot: linux single

duh!

Seriously, how is this news? Nearly every system I've worked with can be comprimised with access to the physical box.

*yawn*

Physical access

[Tyreth (523822)]

I know that physical access makes a machine vulnerable in most cases. But that is because people don't password their bootloader, don't password their bios and disable boot disks.

Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.

Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.

But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.

This IS a bigger issue

[standards (461431)]

Although I originally thought "well hey, if your data center isn't secure, and you can't trust your operators, well, you're hosed!"

But then I got to thinking about this a little bit more. Microsoft's primary customer is the one that doesn't have a secure data center. Additionally, it's not out of the ordinary to reboot Windows XP computers.

Just think... I run a small business (about 10 people) and I electronically secure my XP server the best I can.

Then the secretary calls and says "oh, I just installed XYZ for you, so I rebooted the server". OK, no big deal.... that happens all the time.

But THEN, instead of simply rebooting, he manages to steal all of my corporate data...

Ouch!

So those who live in the datacenter might see this as a problem that we solve with physical security. But for the regular small XP shop, well, you just can't have physical security without spending $$$.

Of course, in my shop, we reboot on average once or twice a year. So it's a little harder to reboot with the goal of ripping data. Then again, our operators have root access...

This strange?

[ciryon (218518)]

It requires physical access to the computer. You can do the same from many operating systems, for instance Linux [virginia.edu] and Mac OS X [macosxhints.com].

But the thing is probably that micro$oft said this thing would be impossible since winxp is so secure. Whatever.

Ciryon

Posted by....

[His name cannot be s (16831)]

Posted by timothy [monkey.org] on Saturday February 15, @03:27PM
from the if-you're-denser-than-dark-matter dept.
An anonymous reader (really timothy) writes "According to this story seen on Slashdot this morning, any moron can get postings onto slashdot. Turns out, access to a fucking keyboard and timothy at the queue is all that is needed to bypass all (well, most) of the story submission process features in slashdot. An idiot can write up completely bland and stupid observations, and Timothy will post them. This method even allows the most moronic story to get posted on a Saturday, something which normally the staff at slashdot reserves for Tuesday."

Never has my sig been more correct:

Knoppix

[jsimon12 (207119)]

Or just get this ISO and boot, WHAMMO instant access, and it is 100% free, unlike the Windows 2000 CD:

http://www.knopper.net/knoppix/index-en.html

Easy enough fix

[VirexEye (572399)]

Simply disable cdrom and floppy boot in the BIOS and set a password so these settings can't be changed. Sure people can still get at data by taking apart the box but that becomes a bit more obvious in a public or office environment.

And this just in. . .

[kfg (145172)]

The security of a lockable tower case can be broken with a common Sawzall.

Ashcroft declares possesion is a terrorist computer crime.

KFG

http://home.eunet.no/~pnordahl/ntpasswd/

[t0qer (230538)]

http://home.eunet.no/~pnordahl/ntpasswd/
(o)---Pu t that karma right here.

What about bootable cd-rom or floppy?

[geekee (591277)]

In either Windows or Unix, can't I simply boot from a cd or floppy and gain root access? The only thing that makes this exploit interesting is that you can get access to the computer without interrupting normal operation.

Encrypting your SAM key

[scubacuda (411898)]

I have not done this, but according to this article [techtarget.com] you can secure your SAM key on XP:

You can encrypt your SAM file with SYSKEY and selecting the option to store the encrypted key on a floppy disk. Keep in mind that the floppy disk will be required during the system boot phase. Storing the encrypted key on the local drive is not as secure, since there are utilities available to manipulate the password hash. Make a backup of the floppy disk and store in a safe, in case your original floppy disk gets damaged.

Equally important to protecting your SAM file, is having an understanding of the services you are running. Make sure that you disable unnecessary services for security reasons and to free up system resources. I've included below some of the services that I would disable by default. Keep a configuration file or maintenance log of the changes made to each host in your peer-to-peer network.

NOTE: Make sure you make a full backup of your system before making changes.

Services to disable:

• Application Layer Gateway Service ? if not using Internet Sharing
• Automatic Updates ? this can work for you or against you; at some point, someone will hack this process to propagate an attack on your system
• Background Intelligent Transfer Service ? used by Windows Update
• Error Reporting Service ? self explanatory
• Internet Connection Firewall ? unless you are sharing Internet
• NetMeeting Remote Desktop Sharing ? enable when you need it
• Remote Access Auto Connection Manager ? unless sharing Internet
• Remote Desktop Help Session Manager ? enable when you need it
• Remote Access Connection Manager ? unless sharing Internet
• Routing and Remote Access ? unless sharing Internet
• TCP NetBIOS Helper Service ? used for WINS
• Terminal Services ? enable when you need it
• Upload Manager
• WebClient

No, No, NO!!!

[alexburke (119254)]

No, No, No.

NO!

You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32 /cmdcons /unattend), but from within the Recovery Console you can ONLY log on to a Windows installation as Administrator (or whatever account was originally called Administrator if it was renamed), and you *do* require the password for it. NO OTHER ACCOUNT WILL WORK. (You are not even prompted for the user to log in as.)

If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.

It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).

...

Okay, I've somewhat calmed down now.

Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.

Sheesh...

*sigh*

Let's trot out this old pony...

[chriso11 (254041)]

Let me get this straight - a windows 2000 CD violates the DCMA...

Re:Shouldn't be possible in XP

[Duds (100634)]

but even in 2k you could just use the physical access to reset the admin pwd.

Ditto any linux I've used for that matter.

Re:Knoppix

[Proc6 (518858)]

And let me be the first to say, Praise Jesus for Knoppix. I had a pair of mirrored disks created in Win2K Server. After the server exploded I put them into an XP Box (NTFS is NTFS right? Wrong.) - I used XP's disk admin to "reactivate disks", as soon as I did that, they became completely unreadable with either XP, or even in a different 2000 server at that point. Many various attempts at various things basically left me with NTFS disks I simply couldnt read with Win2000 or XP.

I booted Knoppix. It saw the NTFS partitions fine. The disks appeared on the Knoppix desktop. I opened an FTP connection to another machine, copied off the important files, and was done.

I will ALWAYS have a copy of Knoppix around.