WinXP recovery console... again

[phishphreek]

Just read an article here.

Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:
Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.

Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.

The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.

Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.

Funny... I found this out by mistake several months ago and started a thread about it.
See the thread here.

[phaza7]

Nice info Phish!!

That can be informative to my understanding of XP.
M$ should throw away Winbloze and work on a *nix OS.
haha! - that will never happen

[Tedob1]

i cant believe i missed that post phish thats really a great find. could be very usefull.

although you probably know this by now you can use dos style truncation to navigate the directories:

My Documents == mydocu~1

the first six characters then "~1" if two directories share the first six letters than the second in alphabetical order would be ??????~2 etc

[phishphreek]

Tedob1:

Yeah, i figured that out now how to move around in command prompt better. I had tried many of those variations of commands and some of them worked. I just posted that too early before doing some more playing around.

I did some more testing after I found that little trick out.

Normally you can't copy/delete/move/copy etc. in recovery console.... even as admin, but using 2k boot disks you can do all those in XP.

What happened originally was I renamed my admin account and the XP recovery console doesn't let you specify the UID you are logging in with... it automatically chooses ADMINISTRATOR.

If you don't have an ADMINISTRATOR account (like me, I renamed it to JOEUSER) you are SOL... unless you have 2k disks handy

I don't think many people who responded to my original post realized what I was trying to say. Never thought to report it... but whatever. I just thought it was cool that I found a security bug in XP! Since then I'm always trying little things to get around securty... but have only found a couple more things.

This is one I can't find a fix for though.... unless you disable booting from floppy and cdrom, which most of my PCs are setup that way anyhow.

[AciDriveHB]

Hey Phish, did you find out if there is a fix for that, or if they are working on it?

[phishphreek]

AciDriveHB: I'm not sure if there is a fix.

The way I fixed it was to disable letting users boot to floppy and cdrom.

You do that in the bios. You can set the options you want and password protect it so anyone without the bios password can't change your options.

Even if someone had a bios password cracker, which would need floppy boot access anyway... I have little locks on the back of PCs that also have a tie wrap through them so I know if the box has been opened. This helps prevent people from pulling the bios battery which will reset the passwords and set the bios to default settings.

[Tedob1]

i definitly have to follow your posts more closely!

too bad you didn't get the recogognition for it. it might look good on a resume.

[phishphreek]

too bad you didn't get the recogognition for it. it might look good on a resume.

Tedob1:

I just emailed the guy who reported it... so maybe I can get recogongnition for it after all! That'd be cool!

Knowing my luck... I'll get hauled into court in violation of the DMCA!... that would suck... all for troubleshooting! lol

[thehorse13]

I just checked the MS site. No KB article and no acknowledgment of the issue yet.

Get ready, a hotfix should be on the way sometime next week! :-)

[phishphreek]

Get ready, a hotfix should be on the way sometime next week! :-)

Nah, they'll save that one for their next 150mb service pack...
It'll only take 11hrs for dial up users do download, so the systems will still go unpatched.

They prolly figure that if you aren't watching who has physical access to your machines... its your fault. Even though it is their screwup.

Anyone with physical access could easily just pull the HD, make a copy and it might just be less work than messing with boot disks and copying to single floppys. Then they'd have all the time they wanted to search the HD... not a few min... thats what video/web cameras are good for.