Full Disclosure mailing list archives

SAM Switch - Win2k/XP password-less login

From: "Palan" <Palan () myrealbox com>
Date: Thu, 25 Sep 2003 09:33:16 -0400

Hello,

I found that SAM file could be replaced just like PWL files in Win9x. I posted the following to Bugtraq, but in spite 
of posting twice it never appeared in the list... (possibly moderated)

Folks, go ahead and change the boot options in your BIOS ASAP.

Original Posting to Bugtraq but never appeared

It is well know that Windows 2k/XP local user account passwords can be reset with Petter Nordahl's ntbootdisk available
at

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Since the disk loads the Windows NTFS partition as read write partition wouldn't it be nice if we could backup the SAM
file and restore it if something went wrong.

This seems to have a security issue, similar to PWL files replacement in Win9x. In the Win9x world renaming PWL files
allowed one to bypass the Win9x passwords. The same would be feasible with Windows 2k/XP as well.

Normally when Windows 2k/XP OS is active, the SAM registry cannot be accessed, Petter's disk tries to load the files
offline and makes the necessary password reset changes. Just copying the SAM file to a secondary medium before changes
and restoring the SAM file later is enough to get the old passwords back.

Someone could
1. Backup the old administrator password
2. Replace it with chntpw utility
3. Install applications/trojans/sniffer
4. Restore the old administrator password

This means ANYONE could be ADMINISTRATOR to a box without knowing the password and not changing the password (a.k.a SAM
switch).

In a University/Corporate environment point 3 is a nightmare, it would be difficult to detect such offline privilege
use techniques.

Though this technique is possible by command line, Petter's disk doesn't have a menu interface for this. I have changed
the scripts on his disk to be able to backup and restore the SAM file. It is available at

http://whitehatzone.tripod.com

Some Solutions to address this issue:
1. By default HDD should be the first boot device (The above floppy image could easily be modified to be made to boot
from CDROM, USB storage, USB floppy hence HDD should be the first)
2. The SAM password injection technique as identified by Petter Nordahl should be addressed by the vendor.
(On a side note this is fixable by the vendor if they correct the NTLM and LANMan crypted hash to that of the syskeyed
NTLMv2 instead of vice-versa as done currently. This is what allows Petter's utility to inject crypted LANMAN, NTLM
hashes into the SAM which get syskeyed on next boot.)

-Palan Annamalai

Researcher, VTLAN,
Virginia Tech.
palan-AT-myrealbox.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

SAM Switch - Win2k/XP password-less login Palan (Sep 25)
- <Possible follow-ups>
- RE: SAM Switch - Win2k/XP password-less login Schmehl, Paul L (Sep 25)
  - Re: SAM Switch - Win2k/XP password-less login Cael Abal (Sep 25)
  - Message not available
    - DANGER: potentially broken f-prot updates Mike Tancsa (Sep 25)
    - Re: DANGER: potentially broken f-prot updates Mike Tancsa (Sep 25)
  - Re: SAM Switch - Win2k/XP password-less login Steve Ames (Sep 25)