Windows 2000 Port Invites Intruders

[InfoSec News <isn () c4i org>]

Forwarded by: Jonathan Rickman <jonathan () xcorps net>

http://www.newsbytes.com/news/01/169408.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
26 Aug 2001, 6:14 PM CST
 
Exploiting a hole in Windows 2000, a hacker says he penetrated
Microsoft's corporate network earlier this month and had full access
to hundreds of the company's computers.

The security breach, which took place over a six-day period beginning
Aug. 12, involved a shopping server that was part of the Microsoft
Network in Europe, as well as scores of workstations and servers
located overseas, he says. A list of the vulnerable machines was
provided to Newsbytes by the anonymous intruder, a self-proclaimed
white-hat hacker who uses the nickname "Benign."

Microsoft officials refused to comment on the incident, noting that
the company does not confirm or deny whether an unauthorized intrusion
into its network has occurred.

But a security expert who reviewed specific details of the penetration
said the break-in appeared realistic.

"It looks plausible. He was brazen, but a bit impressive too," said
Jeff Forristal, lead security developer at Neohapsis, a Chicago,
Illinois-based network and security consulting firm.

To breach one of the most heavily defended networks on the planet, the
intruder says he did not exploit any known or new software bugs, nor
did he use any special hacking tools. Instead, Benign claims to have
virtually strolled into the systems' back door, using Windows 2000's
TCP port 445, which is open by default to allow file sharing with
remote systems.

Benign said his entry was unimpeded by authentication; all of the
computers had no password or used the word "password" for accessing
the systems' administrative accounts.

According to the intruder, who says he worked alone and doesn't belong
to a hacking group, two insecure Windows 2000 (Win2K) systems on the
periphery of Microsoft's network were used to gain entry to the
company's firewalled corporate network.

Besides being connected to the Internet, the vulnerable systems were
"dual-homed" and linked to an intranet that was part of Microsoft's
corporate network, said the man, who claimed to be a graduate student
in his thirties.

Although he had privileges to perform any operation he wished on the
machines, Benign claimed he did not damage or even view files on them.

"At times I feel like a kid in a candy store. I read reports of new
ways to hack Windows and I roll my eyes. Why bother, when I have what
seems like a field of powerful Win2K machines at my disposal,
stretching as far as the eye can see?" he said.

The list of vulnerable computers provided to Newsbytes included the IP
address, machine name, workgroup, username, and password of more than
400 Microsoft systems on the internal Microsoft network. Among the
workgroup names were "NT_DEV," "Redmond," "SouthAmerica," and
"FarEast."

Scott Culp, head of Microsoft's security response center, confirmed
that Win2K does not require administrators to set a password when
installing the software, although Microsoft advises them to pick a
strong one.

"None of this is a flaw in Windows 2000. The problem is the password,
not the file sharing service. Any system that has a blank or easily
guessable password is prone to compromise from a variety of avenues,"
said Culp, who noted that having port 445 open by default is
appropriate because Win2K was designed for business users on a
network.

Earlier versions of Windows, however, ship with file sharing disabled.
As a further precaution, most Internet service providers and
corporations follow the advice of the SANS Institute and other
security experts by firewalling access to port 139, the file sharing
service used by Windows 9x and ME.

Even Microsoft security specialists recognize that the new port
introduced in Win2K can create a vulnerability. In a posting to a
security mailing list in November of 1999, David LeBlanc, a security
expert who is now part of Microsoft's network security group weighed
the advantages and disadvantages of the new operating system compared
to its predecessor, Windows NT. "In terms of what's worse, there are
more ports to worry about - port 445 yields much of the same
functionality as 139, so it is another port to block," he wrote.

Such blocking strategies were born of necessity: Port 139 is
perennially among the top-ten most attacked ports, according to
Johannes Ullrich, operator of the intrusion statistics site
Dshield.org.

But few administrators cordon off the newer port 445. Fortunately, a
small number of computer intruders rattle the door knob on port 445.
Participating Dshield sites recorded only 42 scans to port 445 for the
entire week just ended. Port 139, on the other hand, received several
thousand scans per day.

"Right now, port 445 is an under-utilized avenue for attack. It could
be a disaster waiting to happen," said Greg Shipley, director of
security consulting services for Neohapsis.

Exactly why computer attackers have yet to pounce on port 445 is not
clear, but one pragmatic issue may be at work: Using Server Message
Block (SMB) protocol to communicate with the port is difficult unless
an attacker is also running Win2K.

Microsoft's Windows XP operating system, the successor to Win2K, also
uses port 445 but is hardened out of the box against the sorts of
attacks utilized by Benign against Microsoft. For example, if an
administrator chooses a blank password, Windows XP will disable
network file sharing, according to Culp.

But the software, which shipped to PC manufacturers Friday, could
prove to be a double-edged sword, giving malicious XP users a means to
easily access the port on unprotected Win2K systems, according to
Benign.

Benign said he discovered the unlocked back entrance to Win2K last
spring after installing the operating system on his PC. While sharing
music and video files over the Internet with a friend, he was startled
to find that he could log in as administrator on his pal's Win2K
system without using a password.

Curious, he used a popular network tool to scan a section of Internet
address space for other systems with unlocked port 445s. He says his
scanner quickly spooled out a list of tens of thousands of Win2K
systems with the port unblocked, and of those, thousands had no
password set.

That so many Win2K machines on the Net lack basic password protection
is no surprise to Steve Gibson, operator of Shields Up, a Web-based
service which allows computer users to probe their systems for open
ports. (Port 445 is currently not among those tested, but Gibson said
he intends to add it soon.)

According to Gibson, users often don't set passwords because they
wrongly assume that passwords only control local log-ons to their
machine.

"In a single-user home or small office setting, where users don't
perceive much danger of physical access by anyone else, passwords are
seen as an unnecessary annoyance," said Gibson.

Benign claims he reported many exposed Win2K machines this summer to
their owners, which included two large Web hosting firms as well as an
Internet radio broadcaster. But there were still thousands of Win2K
systems connected to DSL and cable modem lines that could be
commandeered by unauthorized outsiders over port 445.

Thanks to a feature in Win2K known as anonymous enumeration,
identifying powerful administrative accounts on an exposed system is
easy, according to Benign. The capability, enabled by default, allows
an unauthenticated remote user to obtain system information, including
usernames and details, account policies, and share names.

With the benefit of 20/20 hindsight, Microsoft released a security
tool last week that advises Win2K operators to disable anonymous
enumeration through a system-registry tweak. In Microsoft's current
view, the issue represents a severe security exposure.

On a whim earlier this month, Benign says he turned his scanner on
Microsoft's network, beginning with Internet protocol addresses
assigned to its main Web sites. The scan produced the two unprotected
Win2k machines that provided his gateway into the corporation's
intranet, he says.

Benign said Microsoft recently secured the systems he used to access
the firm's internal network. But he has offered to meet with company
officials in person to explain his mode of entry on their and other
companies' Win2K systems. The firm has not responded to his
invitation. When Newsbytes contacted Microsoft for information about
the intrusion, a company spokesman said, "Do you realize you are
cavorting with a felon?"

But Benign insists that he has done nothing unethical.

"Microsoft obviously needs to educate customers and its own internal
users about the problem. The world wouldn't have known about it unless
somebody checked."

Microsoft's information on Port 445 is at
http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP .

Neohapsis is at http://www.neohapsis.com .

Shields Up is at http://www.grc.com .

Dshield's statistics on port 445 probes is at
http://www1.dshield.org/port_report.php?port=445 .

The SANS Institute's list of the top ten security threats is at
http://www.sans.org/topten.htm .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.