oh.. is dis Win2000 Pro??
Printable View
oh.. is dis Win2000 Pro??
sonic: windows 2000 any version is the new NT distro. meaning its Windows NT 5.0. a basic system information request will tell you that.
sonic: yes I'm referring to Win2K pro but supposedly this same hack works on NT 4 though I have yet to try it.
hmm.. well don't know much about the debate going on here. I'm going to try out this hack
tommorow. Somtimes if you can visualize a problem you can find a better solution.
Nice vulnerability though
yes it is basically NT 5.0 in that it is the system built for a networked enviroment, but it is signifantly different from the previous NT systems in how it deals with security.Quote:
Originally posted here by bios
sonic: windows 2000 any version is the new NT distro. meaning its Windows NT 5.0. a basic system information request will tell you that.
so... the best thing to do here - except converting to ntfs - is to rename your cmd.exe and copy an empty file (or some other harmless prog.) to cmd.exe
(it would be funny to create some small prog. that tells the hacker he's been logged... )
If a hacker attemps this hack this would at least have 'm wondering why it doesn''t work ..
It's very easy to solve though..
M$ should have created a way to disable the logon.scr ...
even tho ntfs reduces the risk of this happening would there be ne way to get around it to implement this????
cmd.exe is not the only executable that works with this trick. You can basicly use any executable. On NT4 you can use musrmgr.exe, on win2k it should work with msc.exe.
And what about putting in an executable I made myself? This exe could create a new local account and give it admin rights. Should be really easy to program. For some added stealth you could run the renamed logon.scr so noone will notice ;)
The ONLY way to prevent hacks like this is to switch to ntfs and put some solid ACLs on %windir% and everything underneath.
It's worth noting that:
1. This attack does not work if the permissions on the NTFS filesystem and the registry are correctly setup, as they will be if you do a fresh install of NT4 (+win2k, winxp pro etc)
2. An alternate method of performing this attack is to modify a key in the registry to change the logon screensaver to something else. Renaming cmd.exe is lame. Many things rely on cmd.exe being called that and hence will not work (probably including much of Microsoft's own stuff)
3. Anyone with console access who can boot off a floppy can easily bypass the permissions on the registry and do this hack.
4. That isn't really a problem, because with console access they can do anything anyway
Don't rename cmd.exe or you will have real problems.
FAT is an unsecured FS bottom line. You could use registry keys to deny acces to the control panel->display after turning off the screen saver,but some one with physical access could just as easily use a boot floppy to copy the .sam as replace the screen saver. Just comes down to risk management. Tell your boss to quit being a weenie and use NTFS (at least for the System drive). Depending on the security required I would personally delete all dangerous binaries such as cmd.exe tftp.exe net.exe finger.exe ,etc,etc. or move them to a seperate location and allow ONLY the admins execute rights. (System cannot take ownership so buffer overflow attacks will be much harder to achieve) Although I have not had problems with removing these files you may find Win2000 likes to put them back for you, this is because copies are stored in dllcache by Windows File Protection which can be disabled here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon
You must set (or create) the SFCDisable to REG_DWORD 'ffffff9d'
good luck!
-Maestr0