RE: [VulnWatch] Blank Administrator password in DELL XP Professional install

["James Bender" <jbender@xxxxxxxxxxxx>]

This is not a vulnerability on just DELL machines.  This is a default out of 
the box configuration for any Windows XP Pro, or Windows 2003 Operating System, 
regardless of type (I.E - OEM, Open, or Retail Box).
 
The real vulnerability to be exposed in something like this is the fact that 
Microsoft sets up a "back door" support account on all instances of Windows XP. 
 Albeit disabled, this can lead to security risks if the administrator disables 
the account.
 
Some Machines implement a local security policy that prevents the local 
administrator from logging on locally, and only allowing the "USERS" to log in 
to the machine.
 
Like I said before, it's not a "DELL" issue.  Perhaps DELL is being targeted 
since the OEM software defaults that way.  I have installed Windows XP fresh 
from Open, OEM, or Retail, and experience the same thing.  Null Password on 
Administrator account.  

-JB

________________________________

From: Michael Scheidell [mailto:scheidell@xxxxxxxxxx]
Sent: Mon 6/27/2005 1:08 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: security@xxxxxxxx; vulnwatch@xxxxxxxxxxxxx; cert@xxxxxxxx; security@xxxxxxxx
Subject: [VulnWatch] Blank Administrator password in DELL XP Professional 
install



Vulnerability in DELL Windows XP Professional - default hidden Administrator 
account allows local Administrator access

Systems: DELL(tm) Laptops with Windows(tm); Professional
Vulnerable: DELL Laptops with pre installed Microsoft Windows XP Professional 
SP2
Not Vulnerable: DELL Laptops with Retail Microsoft Windows XP professional, 
RTM, SP1 and SP2
Severity: High
Category: Unauthorized Administrator Access
Classification: Default Authentication
BugTraq-ID: tbd
CVE-Number: CAN-1999-0504
Remote Exploit: Maybe
Local Exploit: Yes
Vendor URL: www.dell.com
Author: Michael Scheidell, SECNAP Network Security
Internal Release date: May 31, 2005
Notifications: May 31, 2005, Emailed various security and cert addresses at DELL
Vendor Response: June 7, 2005: Dell Emailed and requested more information
SECNAP response: June 7, 2005: Sent Dell serial number and service tag code on 
test system
Additional Contact: Emailed Dell on June 14, 2005 to request status
Additional Contact: Emailed Dell on June 21, 2005 to request status, cc'd 
original cert and security addresses
FBI Infragard Release: June 24, 2005
Public Release Date: June 27, 2005

Problem:

DELL OEM XP Processional has a default hidden administrator account.  Use of 
this account will allow anyone with physical access to the computer to fully 
control the computer, add spyware, keystroke loggers, password stealing 
software and read all files, including temp files, local files, documents, and 
any email that has been stored locally.

DELL does not inform the installer of this account, nor give them the option of 
putting a password on this account. If a savvy installer finds the function to 
change the password for the Administrator account, they are warned that they 
could lose data. Security best practices REQUIRE a password on all 
administrative (and root) accounts.

See Dell web site on passwords:
Do's: Do's Use passwords with 6 or more characters
Do NOT's: Do not use passwords shorter then 6 characters[mss: I assume this 
means blank Administrator passwords also]
http://support.dell.com/support/topics/global.aspx/support/security/security_2?c=us&cs=19&l=en&s=dhs&~tab=3
There is also a link to Microsoft's Web site on Dell's site
http://www.microsoft.com/smallbusiness/issues/technology/security/5_tips_for_top_notch_password_security.mspx

Because DELL marketing directly targets large publicly traded businesses, 
government agencies, and research organizations, these systems are used in 
regulated industries. Healthcare organizations must be HIPAA compliant; 
financial institutions must follow GLBA regulations; publicly traded firms are 
required to adhere to the Sarbanes-Oxley Act; federally funded educational 
organizations are regulated by FERPA, and government agencies must comply with 
FISMA regulations. With such organizations comprising  a major portion of 
DELL's market share, it would be advantageous to ensure that products 
incorporated into DELL systems would help achieve compliance with such 
regulations. 

Note: this is similar to the problem found on IBM workstations in August, 2004 
and fixed by IBM with SP2 release:

See: http://www.secnap.com/alerts.php?pg=5

This may not be the first report of this behavior. If others have reported on 
this issue before, please let us know: however, we searched the CVE database 
and only  found a distantly related problem dating back to 1999 where there is 
a warning against default, missing or weak administrator passwords.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CAN-1999-0504 to this issue. This is a candidate for inclusion in the CVE list 
(<http://cve.mitre.org>), which standardizes names for security problems.

A retail setup implementation of Microsoft Windows XP Professional Edition, 
"Out-of-Box Experience" (OOBE), requires that the installer be given the option 
to add an Administrator account. During the installation, the XP Installer 
states : "You must provide a name and an Administrator password for your 
computer. Setup creates a user account called Administrator. You use this 
account when you need full access to your computer." While setup will not 
require that a password actually be entered, it does stress that one SHOULD be 
entered. Additionally, the user is prompted to create a regular user account 
for general use.

In contrast, the DELL setup implementation of Microsoft Windows XP Professional 
Edition does not include such steps. The existence of an administrator account 
is never mentioned. Instead, the setup asks: "Who will use this computer? Type 
the name of each person who will use this computer. Windows will create a 
separate user account for each person so you can personalize the way you want 
Windows to organize and display information, protect your files and computer 
settings, and customize the desktop. These names will appear on the Welcome 
screen in alphabetical order. When you start Windows, simply click your name on 
the Welcome screen to begin. If you want to set passwords and limit permissions 
for each user, or add more user accounts after you finish setting up Windows, 
just click CONTROL PANEL in the START menu, and then click USER ACCOUNTS." By 
default, none of the accounts added in this step have passwords. Nor is their 
an option to set passwords during the install. While this is not unique to the 
IBM install, it is a known weakness in the Windows XP OOBE, including retail 
and OEM versions. Because the Administrator account was never requested, this 
leaves the system in a very vulnerable state.

Local Exploit :
If Windows XP Professional is installed as part of a Windows Domain, the user 
selection menu is absent . If there is a user menu, hit 
<ctl><alt><del><ctl><alt><del> to pull the menu up

Type 'Administrator' in the Username Box.
Leave the Password Box Empty.
If there is a domain in the Domain Box, change it to the local computer
Hit Enter
You now have full control over this system and can install keystroke loggers, 
capture passwords, install network sniffers, browse (and change) cookies of the 
users, read and copy any local documents or files

Remote Exploit:
Remote exploit is not possible unless someone changed the security feature that 
disabled network access for accounts with blank passwords
If remote access is possible, use MACHINENAME/Administrator as the user 
authentication when connecting to the $SYSTEM or $C share.
If you gain access, you can remotely load, install, read, take over the 
computer.

Work Around
By using the Computer Management application and looking under 'System 
Tools->Local Users and Groups->Users', we see that the Administrator account 
has been added and enabled. This account IS NOT password-protected. If the 
installer sets a password for EVERY user shown under the User Accounts tool in 
the Control Panel, THE DEFAULT ADMINISTRATOR ACCOUNT STILL EXISTS WITH NO 
PASSWORD.

The Installation Setup never informed the user that the account existed. If a 
user attempts to manually set a password for the Administrator account, they 
are greeted with the following warning: "Password for Administrator: Resetting 
this password might cause irreversible loss of information for this user 
account. For security reasons, Windows protects certain information by making 
it impossible to access if the user's password is reset. This data loss will 
occur the next time the user logs off. You should use this command only if a 
user has forgotten his or her password and does not have a password reset disk. 
If this user has created a password reset disk, then he or she should use that 
disk to set the password. If the user knows the password and wants to change 
it, he or she should log in, then press CTRL+ALT+DELETE and click Change 
Password. For additional information, click Help. [Proceed] [Cancel] [Help]." 
This warning exists in all versions of Windows XP, but it is not presented from 
the Control Panel Users Accounts tool. If a password is changed from the 
Control Panel's User Accounts section, no such warning is issue; but, again, 
the Administrator account is hidden from User Accounts.

In summary, Due to the lack of an Administrative Setup screen for the DELL 
Windows XP OOBE flow, it is more difficult for a security-conscious 
organization to manage a Windows XP-based DELL environment. In order to protect 
a system, several unintuitive additional steps must be taken on each systems in 
the environment, despite warnings against taking such steps.

SECNAP has tested this situation against DELL Windows XP Pro SP2. SECNAP also 
recommends that DELL notify all existing registered clients using the 
vulnerable systems to upgrade, possibly to a DELL-released patch, or modified 
version of SP2, that would additionally address the issues.

Vendor Response
On Jun 7th, 2005, Vendor requested and received serial number, service tag and 
OOBEINFO.INI from the test computer
We attempted to contact them again on June 14th, and June 21st. No response

Credit:
Original alert on IBM Workstation by Jason Lash, SECNAP Network Security, 
www.secnap.com, research on DELL Laptops by Michael Scheidell, SECNAP Network 
Security.
An original copy of this alert can be found here release: 
http://www.secnap.com/alerts.php?pg=8

Copyright:
Above Copyright© 2005, SECNAP Network Security Corporation. World rights 
reserved.

This security report can be copied and redistributed electronically provided it 
is not edited and is quoted in its entirety without written consent of SECNAP 
Network Security Corporation. Additional information or permission may be 
obtained by contacting SECNAP Network Security at 561-999-5000