[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] SAM Switch - Win2k/XP password-less login

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] SAM Switch - Win2k/XP password-less login
From: "Palan" <Palan@xxxxxxxxxxxxx>
Date: Thu, 25 Sep 2003 09:33:16 -0400

Hello,

I found that SAM file could be replaced just like PWL files in Win9x. I posted 
the following to Bugtraq, but in spite of posting twice it never appeared in 
the list... (possibly moderated)

Folks, go ahead and change the boot options in your BIOS ASAP.

>>>>>> Original Posting to Bugtraq but never appeared

It is well know that Windows 2k/XP local user account passwords can be reset 
with Petter Nordahl's ntbootdisk available at 

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Since the disk loads the Windows NTFS partition as read write partition 
wouldn't it be nice if we could backup the SAM file and restore it if something 
went wrong.  

This seems to have a security issue, similar to PWL files replacement in Win9x. 
In the Win9x world renaming PWL files allowed one to bypass the Win9x 
passwords. The same would be feasible with Windows 2k/XP as well.

Normally when Windows 2k/XP OS is active, the SAM registry cannot be accessed, 
Petter's disk tries to load the files offline and makes the necessary password 
reset changes. Just copying the SAM file to a secondary medium before changes 
and restoring the SAM file later is enough to get the old passwords back.

Someone could
1. Backup the old administrator password
2. Replace it with chntpw utility 
3. Install applications/trojans/sniffer 
4. Restore the old administrator password 

This means ANYONE could be ADMINISTRATOR to a box without knowing the password 
and not changing the password (a.k.a SAM switch).

In a University/Corporate environment point 3 is a nightmare, it would be 
difficult to detect such offline privilege use techniques.

Though this technique is possible by command line, Petter's disk doesn't have a 
menu interface for this. I have changed the scripts on his disk to be able to 
backup and restore the SAM file. It is available at

http://whitehatzone.tripod.com

Some Solutions to address this issue:
1. By default HDD should be the first boot device (The above floppy image could 
easily be modified to be made to boot from CDROM, USB storage, USB floppy hence 
HDD should be the first)
2. The SAM password injection technique as identified by Petter Nordahl should 
be addressed by the vendor.
(On a side note this is fixable by the vendor if they correct the NTLM and 
LANMan crypted hash to that of the syskeyed NTLMv2 instead of vice-versa as 
done currently. This is what allows Petter's utility to inject crypted LANMAN, 
NTLM hashes into the SAM which get syskeyed on next boot.)


-Palan Annamalai

Researcher, VTLAN, 
Virginia Tech.
palan-AT-myrealbox.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] What about astalavista.net
Next by Date: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
Previous by thread: [Full-Disclosure] [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
Next by thread: RE: [Full-Disclosure] SAM Switch - Win2k/XP password-less login
Index(es):
- Date
- Thread