Win2K Pro Exposes System During Install

 
Win2K Pro Exposes System During Installation

Reported Feburary 16, 2000 by Stephane Aubert

VERSIONS AFFECTED
Microsoft Windows 2000 Professional

DESCRIPTION

According to Stephane"s report, during the installation process of Win2K Pro a user can access the ADMIN$ share under the Administrator account without providing a password. As you know, the ADMIN$ share is mapped by default into the main Windows operating system root directory.

Stephane confirmed that an Administrator password was in fact defined during the installation process. However, according to the observations made, the password did not seem to take affect until after the system had been rebooted. During the interim period before the reboot a person could connect to resources using the Administrator account and a blank password. Although unconfirmed, this condition may imply that the Administrator password could be changed during that time period as well, effectively locking out the person that had just performed the install.

The problem would seem to indicate a race condition where an intruder could manipulate the system during the installation time frame where the network layer had become active, but the system had not yet been rebooted. During that period all available system resources would probably be exposed due to this apparent bug.

Stephane verified the ADMIN$ problem by using the "smbclient" utility that ships with SAMBA distribution packages. Example output from smbclient is show below. The "smb:>" prompt at the bottom indicates a successful resource attachment under the smbclient.

================


% ./smbclient \\\\WINDOZE\\ADMIN$ -I xxx.yyy.zzz.ttt -U "administrator" -d 0 -N

Unable to open configuration file "/usr/local/samba/lib/smb.conf"!
pm_process retuned false
Can"t load /usr/local/samba/lib/smb.conf - run testparm to debug it
Domain=\[GROAR\] OS=\[Windows 5.0\] Server=\[Windows 2000 LAN Manager\]

smb: \>
================

VENDOR RESPONSE

Microsoft has been made aware of the issue and is looking into its details. No official response was known at the time of this writing.

CREDITS
Discovered by Stephane Aubert

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish