Another logon.scr Admin Hole + FIX

[Szafran]

Maybe I'm not Speaking The Corrent Language or something. Everything i've stated is all very possible and still usefull. If Boot from a disk is disabeled then you simply reset it. If your even close to having any intelligence then you would know that that is extremely easy. After Doing so boot with a floppy in command prompt. The do the following...
C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr
after doing that you restart the system w/out the bootdisk. When your at loggon just wait 10-15 minutes. NOW LISTEN HERE. Windows is not set to have a command prompt open at this state in your computers boot process. Not being logged in will dissallow an restrictions set on that computer, this also includes the NET COMMANDS. At which you will type "C:\> net user administrator <newpassword>" This will change the password for ADMINISTRATOR.
THAT IS HOW SOMEONE WOULD GAIN ACCESS TO AN ADMIN ACCOUNT. They only way this connot occure is if the admin had the screensaver disabeled for you Logon Screen. ARE THERE ANY QUESTION? I HAVE TESTED THIS ON ATLEAST 5 COMPUTERS AND 1 HAD THE SCREENSAVER DISABELED.

another fix for this is a patch that i belive is availible. It will replace logon.scr with a DLL. thefore makeing it impossible to make cmd.exe run before logon.

[phishphreek]

Everything i've stated is all very possible and still usefull. If Boot from a disk is disabeled then you simply reset it. If your even close to having any intelligence then you would know that that is extremely easy.

As slarty has already pointed out.... this is not possible with NTFS unless you are using ntfsdos pro to boot. A regular boot disk will only work on a system that is FAT. Who in there right minds would use FAT?!

C:\> net user administrator <newpassword>" This will change the password for ADMINISTRATOR.
THAT IS HOW SOMEONE WOULD GAIN ACCESS TO AN ADMIN ACCOUNT. They only way this connot occure is if the admin had the screensaver disabeled for you Logon Screen. ARE THERE ANY QUESTION? I HAVE TESTED THIS ON ATLEAST 5 COMPUTERS AND 1 HAD THE SCREENSAVER DISABELED.

This would only work if you already have admin privledges. Try to do it with a guest account, or power user even and you'll see that it doesn't work. If you already have admin privledges... then why in the hell would you need to get the admin account?!

[slarty]

Szafran: I don't mean any disrespect, but this really isn't a bug in Windows at all.

If a user can (through a DOS boot disk or otherwise) replace logon.scr, then they can replace any other file with anything anyway. This includes editing the SAM, or any other more straightforward modification which would allow them full access.

Therefore this discussion is pointless and stupid.

To ensure local security, have a BIOS password and don't allow booting from removeable media. That's all there is too it.

[catch]

Just to append to what Slarty said, also take care to disable automatic admin login during recovery and limit access to removable media during recovery as well. There was another post in the last day or so that was resolved by this physical attack, booting off the OS CD.

catch

[Szafran]

What i'm saying, and there will be no need to post a reply cause i'm gonna quit with this subject but, if you can get the cmd.exe to boot a logon screen, then it will work. Cmd.exe the NET COMMANDS were not created to be used at the logon state. THAT IS THE BUG. The commands will not work before logon or after logon w/out admin access. But if you use then durring the logon then it will work. And i also understand about the bootdisk w/ NTFS but still all you would need to do then is gain access to a NTFS boot disk. Is it truely that hard?

[slarty]

Cmd.exe the NET COMMANDS were not created to be used at the logon state. THAT IS THE BUG.

No it is not.

It is not possible to run cmd.exe as Localsystem at the logon prompt without doing some hackery, all of which either requires you to be an administrator anyway (such as editing the registry) or booting from a different medium.

If you boot from a different medium, gaining admin access is possible in countless other ways besides the one you suggest. Therefore, it is not a hole.

If of course you are administrator anyway, why would you want to gain admin? It makes no sense.

The "Net" commands are usable by the Localsystem account. This is not a hole.

[nihil]

Hi guys,

I guess these things are going around in circles. I see posts regarding how to break into systems, and here we have a young gentleman pointing out security flaws!............I am allowed to call you a young gentleman szazfran, unless you can provide me with a functional Fortran4 program on 80 column punched cards.............that's where I started to learn

I think that some of the problem here is not the new members, and certainly not their enthusiasm!!!!!!!!!! it is the fact that they are operating in artificial rather than practical environments?

A little story:

"In the beginning I went to my wife, and we went to the computer shop and she chose the case colour..............then I needed a motherboard, so she chose one that colour co-ordinated with the case . Then she went shopping.............so I bought the fastest processor and maximum memory that would fit the colour co-ordinated motherboard................etc........but then I had to buy an operating system...so I did (WIN2k)................and I put it all together........then I loaded the OS................it wasn't colour co-ordinated, but I was SYSADMIN!...
And only I had the power cable and the password, so the beast was safe.................and she could not use it (matches the carpet and wallpaper though )"


Silly?...yes...but, depending on where you are in an IT environment depends on what can happen.


Obviously, I exaggerate.............poetic license?............we use a User password (kill guest on sight IMHO) I have a "superuser one" and the administrator profile, that I have changed and hidden.

When you are at college, I do not think that you are subject to many restrictions, just like the beast that I created, you create the restrictions yourself.................in the real world, things are a bit different.


We will get questions from well meaning types who think that they know it all and "xyz sucks" or "abc sucks"....I find that amusing...............the "enthusiasm of youth"

The bottom line is that most professional systems are secure, or capable of being made reasonably so. These easy exploits do not exist..........perhaps some of these guys should subscribe to the CERT newsletter.......an outfit funded by the DoD, FBI and IRS..............and it was the IRS who put Capone in Joliet?


Yes, there are a lot of serious security issues out there, but a lot of this is not applicable to the real world?

There you go guys.........got £0.03 worth then (sponsored by Blossom Hill white zifandel )

Cheers, and good whatever time it is where ever you are

[GandalfTheGray]

Several of the posters have touched on this, but it is so important that I wanted to make it a seperate post. Physical security of your computer (controlling physical access) is the first and basic step in defending against knowlegable persons. I have never been able to absolutely deny access to a person with extended, unobserved access to a computer. If a person can add or remove hardware, reset your bios password, add and remove drives, etc., it's really hard to protect things. In fact, if you have something a competitor or a spy really wants, they can just walk out with the whole computer if there is no physical security.

Szafran -- it's not that your information isn't potentally of some use to some, it's just that most of us have, for really important computers, provided physical security, prevented boots from external drives, password protected the bios, selected an operating with significant security features, and implemented those procedures. For these reasons, the things you propose won't work on computers we care about.