COMMAND
backdoor
SYSTEMS AFFECTED
Win2000
PROBLEM
Mnemonix found following. There's been a lot of press recently
about Windows 2000 backdoors such as the NSA key Crypto issue.
Mnemonix was mulling over another "backdoor".
We had Windows 95, then were blessed with 98 and soon Windows 2000
Professional will be out and, according to some, is set to be the
replacement for 98 and installed on a few million PCs around the
world. In preparation for this, Microsoft has made security
"invisible" to the future home user: during the install the
installer is prompted for a Administrator password - which they
set. The installer is also asked to supply the name of the
person the product is to be registered to - for example "David
Litchfield". If the machine is not going to be joined to a
domain, and they never are in the case of a home user, Windows
2000 then silently takes this name and creates an ADMINISTRATIVE
user out of it and does NOT set a password for this account. It
then sets values in the Winlogon registry key to Autologon the
user without having to go through the rigmarole of
Control+Alt+Deleting. Thus security is made invisible.
Now here comes the crunch - there's a Telnet Server installed on
the system, though by default the service is not started. For the
one person that doesn't know what a telnet server is on this
mailing list, a telnet server is where a remote user can access
the computer the telnet server is running on as if the are sat at
that machine, typing commands at a Command Prompt. Big deal, some
may say, - the service isn't started.
Guess what - the service can be started remotely by an
administrator using DCOM. All we need then is an Administrative
UserID and password and we can start the telnet service and then
log into and then run commands on it as if we were sat at the
machine! That leaves the question of where do we get an admin
userid and password from? Hey - maybe we could use the "David
Litchfield" account. All we need to do to find out who is logged
onto a particular machine is issue the following command from our
machine:
C:\>nbtstat -A IP_Address
(since when does a PC home user on the 'Net deny NetBIOS based
traffic to access their machine?) and we can get the name of the
user currently logged on - for the home user it'll be the "David
Litchfield" account. Great - Windows 2000 rooted in 3 seconds.
If this were a back door though, no-one at the Microsoft, could
be bothered trying IP addresses at random. What they need is
another way to get the telnet service started. One way to do this
is embed some VBScript in an HTML document (or e-mail):
<OBJECT
id =tlnt
classid="clsid:FE9E48A4-A014-11D1-855C-00A0C944138C"
></OBJECT>
If an HTML document is opened with this script in it the telnet
server will be silently launched - no warnings about dangerous
ActiveX or anything. The user that just opened the document will
have no idea that the telnet server has just been started. So
this begs the question how do we get a million users to open up a
document that had such code in it? Well, not that Microsoft
would do it, but it would be _really_ easy to do if they wanted
to by using the Windows Update service that keeps on telling you
to update, so in the end you do just to shut the thing up and you
whisked away to the Microsoft web site where there happens to be
a load of HTML documents. Hmmm.
So, hypothetically, if Microsoft wanted to they could embed this
code in their Windows Update page and start the telnet server -
and guess what they've just grabbed your IP address, too. All
we're missing is the User ID now - but hey they could get that
using nbtstat if they really wanted to. Even if this isn't a
deliberate backdoor it is one, and shows "great" forward thinking
by the 2000 project team. If MS don't use this door you can bet
the script-kiddiez will be all over this one.
SOLUTION
The Administrator account is no longer started by default, and
there is an open bug on the telnet issue. The product will not
ship without the telnet hole being plugged.