The Windows Flaw That Cracks Amazon Web Services

Nerval's Lobster writes "Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular 'chntwp' password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. 'The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,' he writes. 'Now let's be clear: I'm not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.' It's a security concern, and one that's particularly insidious to patch."

So stupid.

[MindStalker]

If you mount your Windows harddrive in Linux without using Encryption you can access all your Data?

Not news at all. You can do this on any operating system of any type assuming your not using an encrypted system.

Not a new problem

[Imagix]

Oh look, it's yet another case of "If you have physical access to the server, all bets are off.". If you can clone the volume, you effectively have physical access to the server. This isn't a new vulnerability. Just another case of "It's on the webz, it must a a completely novel thing!".

Why make it complicated?

[Empiric]

1. Take a Windows server on Amazon Web Services, make a copy of the hard drive (which Amazon calls a volume),

If you can do this, the system is already compromised in a dozen different, less-interesting, ways.

The question is whether you can do this without already having the passwords, with EC2's existing security. I see no evidence from the article he can.

Without that, the claim is half gratuitous cleverness, half FUD of an attention-grabbing vendor name, to my eyes.

Re:Vulnerable?

[chuckinator]

chntpw has been in the wild since 1997. It's wonderful that the researcher just realized that it works on cloud volumes just as well as physical volumes, but this it flat out not news. It's also mitigated by deploying an Active Directory domain controller if you want to stick with windows or rolling one yourself with krb5/ldap/samba/etc. if you want your backend servers running unix of whatever variant you like.

Earth-shattering

[davidbrit2]

Unencrypted volumes can be easily modified when mounted on a different system; film at 11.

Re:Vulnerable?

[ron_ivi]

And this isn't even a vulnerability.

The ability to share disks by copying or moving them from one machine to another is an AWS feature.

It's common that you'd launch a high-CPU compute node (which might be windows) to prepare a set of data on a disk; and then kill that expensive high-CPU node when the data's ready; and move the disk to another machine (which might be running Linux).

Isn't that exactly what the author described?

Re:So stupid.

[tgd]

If you mount your Windows harddrive in Linux without using Encryption you can access all your Data?

Not news at all. You can do this on any operating system of any type assuming your not using an encrypted system.

Or dupe your Linux virtual harddrive in Linux... or Windows ... or OSX... and do the same thing.

Its a stupid flamebait article. Shame after all this time we still can't moderate the articles themselves on /.

Re:About Jeff

[cbhacking]

Really? You "enjoyed" a reading the "discoveries" of somebody who didn't even realize that psexec requires Admin, at which point the whole thing is completely moot? You want to know how else I can replace the password on the Administrator account? Computer Management (mmc.exe, as Admin please), Local Users and Groups, Users, Administrator, right-click, Reset password.

But that doesn't let him talk about how 1337 he is for tweaking an outdated program to work on a modern Windows version... Seriously, the guy is a bit of an idiot. Calling it a Windows vuln was icing on the cake; if anything, this kind of "exploit" is actually easier on Linux.

There's "out-of-the-box thinking and problem solving" and then there's "I don't know what the fuck I'm talking about but have you heard of this cool program that lets you totally break Windows security guys?!?" I hang out a lot in the security community, and I see this sort of shit all the time. I've never seen anybody who started out spewing this kind of idiocy ever actually amount to anything even years later, though. They never actually learn. That garbage he posted in the article? that's probably as smart as he will ever get with regard to security, because he doesn't even understand the basic concept of what user accounts or access permissions *are*. Not doesn't understand them - hell, at least on Windows, that's hardly anything unusual - he doesn't even know what they are. For example, you can access the SAM just fine without using SYSTEM at all; just use Admin privileges to modify the ACLs on the SAM registry key. He's not even aware that there *are* such things as ACLs; he just thinks it's "magic" that SYSTEM can do some things that everybody else (because he runs as Admin, because he doesn't have any idea why you wouldn't) can't do.