COMMAND
RedButton Bug
SYSTEMS AFFECTED
Win NT 3.51, 4.0
PROBLEM
NTsecurity.com (Midwestern Commerce, Inc.) has discovered a
security flaw ("RedButton Bug") in Microsoft Windows NT v 3.5x,
4.0 that affects the majority of NT based networks.
NTsecurity.com has created a software utility called "RedButton"
that demonstrates the risks associated with this security problem.
This info is based on their advisory and text on their www:
http://www.ntsecurity.com/RedButton/
It is explicitly stated by Microsoft (KB Article ID: Q103390) and
accepted by the NT user community that in order to access
resources on an NT computer a remote user should go through a
logon process and either:
- present a valid User Name and a Password or
- logon as Guest if the guest account is enabled
The Guest account presents a security threat and according to
Microsoft (KB Article ID: Q101232) should be disabled in order to
enhance security. These security threats are well documented.
There is also a misunderstanding in NT User's community about the
role of a built-in Everyone group. Even though it is not
explicitly stated by Microsoft (the opposite is not stated or
documented either), there is a belief that Everyone is an
identifier that includes only all legal users on a given computer
or a given NT domain. This is not true. In fact, Everyone group
includes any user from anywhere. Everyone is everyone.
NTsecurity.com has discovered a flaw in Windows NT security that
allows a user to logon remotely and gain the same set of rights
and access the same resources as the Everyone group, regardless
of whether the Guest account is disabled or not.
In other words, anyone who has networked access to the target
computer can logon remotely without presenting a User Name and
Password.
To show the extent of the vulnerability, consider two of the most
common exploits.
1. Any Default Installation of Windows NT Workstation (v 3.51,
4.0) is vulnerable:
- the flaw allows the creation of a new entry in the registry
which describes a new drive share with access granted to
Everyone.
- a potential intruder can then wait for the system to reboot
- after reboot the new share is published on the network to
Everyone. By sharing system drive one can obtain a copy of a
password file updated by rdisk -s from the %SYSTEMROOT%\Repair
directory, etc.
2. Any Default Installation of Windows NT Server or Workstation
(v 4.0) is vulnerable:
- the flaw allows the creation of a new entry in the registry
which describes a reference to a Trojan horse program
located on the intruder's computer e.g.
\\xxx.xxx.xxx.xxx\Share\Smth.exe
- potential intruder can then wait for an interactive logon
- after the user logs on to the server the Trojan horse
program is executed. Obviously, the Trojan horse program
could do about anything if the logged user is an
Administrator. The Trojan can create a share (see above) if
the logged user has guest or ordinary user privileges.
In order to expose the flaw and demonstrate these potential
vulnerabilities, NTsecurity.com created a program tool called
RedButton. When executed, RedButton exploits the flaw and does
the following:
* logs on remotely to a Target computer without presenting any
User Name and Password
* shows that unauthorized access to sensitive information stored
in file system and registry available to Everyone group can be
obtained.
* determines the current name of Built -in Administrator account
(thus demonstrating that it is useless to rename it)
* reads several registry entries (i.e. it displays the name of
Registered Owner)
* lists all shares (including the hidden ones)
* shows that identifier Everyone includes not only legitimate
users of the network but everyone.
RedButton is not an intruder's tool, and it does not increase any
security risks or vulnerability. Functions that would make it a
dangerous tool were disabled. However, it demonstrates that
unauthorized access can be obtained.
ANONYMOUS connection can be used to access network resources on a
target computer with everyone's access. If the resource has "read"
permission - the resource can be enumerated (read). If the
resource has "write" permission it can be written (modified).
Examples:
File system: Files can be read by everyone if:
* There is a share with "everyone's" read access.
* There are files on this share with "everyone's" read access.
Registry values can be read if:
* The registry key is not "unshared" for network access for
everyone (winreg key).
* The registry key has "everyone's" read access.
Files can be modified if:
* There is a share with "everyone's" write access
* There are files on this share with "everyone's" write access.
Registry values can be modified if:
* The registry key is not "unshared" for network access for
everyone (winreg key).
* The registry key has "everyone's" write access.
Printer: Everyone can print on a network printer if:
* Printer share has "everyone's" print access.
Shares:
* List of shares can be obtained by everyone as long as "Server"
service is started and everyone can establish ANONYMOUS
connection to the server.
* List of users and name of the renamed Administrator account can
be enumerated if the "Server" service is started and everyone
can establish ANONYMOUS connection to the server.
SOLUTION
Obtain from ftp.microsoft.com patch for NT 3.51:
/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/sec-fix
or for NT 4.0
/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/sec-fix/
You may also apply SP3 for NT 4.0 that solves this problem.