A serious hole in Windows NT and Windows 2000 allows any user (even “guest”) to gain complete control of the machine using the standard documented debugging interface. An article on ExtremeTech gives details and links to patches and sample exploits. To date, Microsoft has not commented on the vulnerability.
Hey, maybe I can take advantage of this to install some software on my NT machine here at work (which I don’t have admin access to…until today that is).
yeah and then when your employer finds out, you will get fired, arested under the Anti-Hacker laws, and sent to federal prison, just becasue you wanted AIM or Mozy……is it worth that to you?
(Yes I know you were joking, just illistrating the stupidity of the laws.)
One would think that this would have put Microsoft on “red
alert,” but — amazingly — the software giant has released neither an
advisory nor a patch.
Does anyone know why?
“One would think that this would have put Microsoft on “red
alert,” but — amazingly — the software giant has released neither an advisory nor a patch.”
“Does anyone know why?”
Why is there no patch? Because they probably haven’t figured out how to fix it yet.
Why is there no advisory? Because they don’t want to publicize it anymore than it already is. After all, what are they going to say “Any user can contain complete control of your Windows NT/2000 system by using a standard debugging procedure. Unfortunately, there is absolutely nothing you can do about it at this point.”
Their whole system is a BIG patch. So patch the patch the patch the patch
That would be silly.
A friend of mine supposedly has a Linux boot floppy with some kind of NTFS support that lets you edit a Win2k password file and gain root access that way. Anyone heard of this before?
yeah…and that is why SMART admins make the IDE-0 the primary boot volume.
“A friend of mine supposedly has a Linux boot floppy with some kind of NTFS support that lets you edit a Win2k password file and gain root access that way. Anyone heard of this before?”
I’ve heard of similar things. But this isn’t exactly a security problem with Windows. After all, every single versions of UNIX that I have ever worked with can boot from a floppy disk or a CD, bypass the login and then change the root password.
In fact, out of the box, Linux is even less secure because you can boot directly off the HD into single user mode with no password. (Personally I think Linux vendors should wise up with this one and change that so it it defaults to an environment in which the console is insecure).
Simba,
Do your homework, depends on the system’s default settings.
FreeBSD’s default setting will allow you to get into single user mode without a password, debian does not, depends on the default setting of said UNIX(-like) OS.
I’m still unclear on how this works. Can this be done remotely? or does the hacker have to install/run a debugger program on the HD? Can someone shed some light here?
On the Linux boot disk topic, yes, if you forget the administrator’s password in NT (at least 4.0), you can use the disk to change the password, then reboot.
The first paragraph of the article:
A serious hole in Windows NT and Windows 2000 allows any user (even “guest”) to gain complete control of the machine. This bug — called a “privilege escalation” vulnerability — is particularly worrisome, because it does more than open the system to attacks from its own users. It also amplifies the dangers associated with other security holes that Microsoft has dismissed as not being serious. Why? Because an intruder who gains entry to a system as an unprivileged user can obtain administrator privileges and take over.
So the answer is yes and no. The hole in itself does not permit remote attacks, but someone that uses another exploit to gain unpriveleged user status can then use this remotely to upgrade their privelege level. They’ll most likely have to execute something on the machine that’ll exploit the hole, but nothing as large as a debugger, just a simple routine that hooks into the system’s debugger (part of the NT/2k subsystems) which allows them to take control of tasks at a higher privelege level.
The exploit utilizes a process that isn’t used in XP, which is why it’s confined to NT4/2k, and there are 3rd party fixes available. Should be interesting to see when MS will get around to it, and what they’ll do about it.
… such intolerable security holes will the world need before realizing that Microsoft is nowhere near able to create something secure?
Microsoft is by far the company with the worse (in)security history. I dream of the day people will start thinking (anyone who care about either security or cost wouldn’t select a MS product).
We keep on dreaming.
It is like cars. In the 60’s (to my best knowledge)
people started to think about safety belts in cars. By than it was thouhgt
rediculous to have seatbelts for safety. Today one cannot buy a new car without the highest possible level of safety.
So do we want an unsafe car??? No!!!
Do we want an unsafe computer?? No!! But we do otherwise.
We do not think!
it’s the application. please contact your software vendor for support.
OpenBSD – No root exploits for the last 4 years.
Windows 2000 – No root exploits for the last 4 hours.
If the one-byte fix is performed, what prevents a user from changing that one byte back? I don’t understand how that can be a fix…
“A friend of mine supposedly has a Linux boot floppy with some kind of NTFS support that lets you edit a Win2k password file and gain root access that way. Anyone heard of this before?”
Yes, I have a boot disk like this only it is a DR-DOS disk. The NTFS software on my disk isn’t very stable though. About half the time it locks up. I would much rather have the Linux one you are talking about.
Guys, I know, you will laugh in my face, but… http://webua.net/god/even-more.html
Sad but true.
Blachford summed it all up in two sentences
“Microsoft is by far the company with the worse (in)security history. I dream of the day people will start thinking (anyone who care about either security or cost wouldn’t select a MS product).”
Don’t go there. Linux has had its share of remote root holes as well. As a famous guy from the first century said “Let he who is without sin cast the first stone.”
“Do your homework, depends on the system’s default settings.”
I am pretty sure that most Linux distros come with lilo configured by default to allow a single user no password boot.
There has been a tool around for a long time called Bluecon 2000 by O&O. It creates modified W2K boot floppies which allow to delete or change passwords of any W2K installation faster than you could type it yourself… You can do more fun stuff with it as well…
most linux systems of today comes with GRUB, Red Hat install even prompts you for assigning a password to the GRUB bootloader.
However, I don’t think exploits via an unconfigured bootloader or booting with a bootdisk as securityrisks because of operating systems design, if you want your system secure you only allow boot from ide0, block BIOS, bootloader, etc.
Those of you that complain Linux or Win platforms are not secure because you can gain access via physical access have no idea what you are talking about. That has ZERO to do with OS security and everything to do with physical security.
How often do you see people place their VCR’s for their business security system right out side the front door? Never? Why? Same reason your OS is as secure as it’s physical security.
Simply put, if you think BIOS passwords are protecting you, you’re dreaming and unfit to work in the security world. Bluntly, if you require a secure system, it must be physically secure and even then, it’s still only as secure as the trustworthiness/quality of the people that have access to it.
Considering most security violations come from within, physical security and the quality of your people should have the highest priority.
Does this work for automated processes? I have Win2k, and a digital camera. If I eject the camera without going through a tedious process on Windows, it messes up the Windows whatever that recognizes the camera. I can only access the camera again if I plug it in as admin and it launches an automated process for about 3 seconds to re-recognize it.
So, could I use this debugger exploit to let win2k recognize my camera when I’m using a non-admin user?