Hello, I found that SAM file could be replaced just like PWL files in Win9x. I posted the following to Bugtraq, but in spite of posting twice it never appeared in the list... (possibly moderated)
Folks, go ahead and change the boot options in your BIOS ASAP. >>>>>> Original Posting to Bugtraq but never appeared It is well know that Windows 2k/XP local user account passwords can be reset with Petter Nordahl's ntbootdisk available at http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html Since the disk loads the Windows NTFS partition as read write partition wouldn't it be nice if we could backup the SAM file and restore it if something went wrong. This seems to have a security issue, similar to PWL files replacement in Win9x. In the Win9x world renaming PWL files allowed one to bypass the Win9x passwords. The same would be feasible with Windows 2k/XP as well. Normally when Windows 2k/XP OS is active, the SAM registry cannot be accessed, Petter's disk tries to load the files offline and makes the necessary password reset changes. Just copying the SAM file to a secondary medium before changes and restoring the SAM file later is enough to get the old passwords back. Someone could 1. Backup the old administrator password 2. Replace it with chntpw utility 3. Install applications/trojans/sniffer 4. Restore the old administrator password This means ANYONE could be ADMINISTRATOR to a box without knowing the password and not changing the password (a.k.a SAM switch). In a University/Corporate environment point 3 is a nightmare, it would be difficult to detect such offline privilege use techniques. Though this technique is possible by command line, Petter's disk doesn't have a menu interface for this. I have changed the scripts on his disk to be able to backup and restore the SAM file. It is available at http://whitehatzone.tripod.com Some Solutions to address this issue: 1. By default HDD should be the first boot device (The above floppy image could easily be modified to be made to boot from CDROM, USB storage, USB floppy hence HDD should be the first) 2. The SAM password injection technique as identified by Petter Nordahl should be addressed by the vendor. (On a side note this is fixable by the vendor if they correct the NTLM and LANMan crypted hash to that of the syskeyed NTLMv2 instead of vice-versa as done currently. This is what allows Petter's utility to inject crypted LANMAN, NTLM hashes into the SAM which get syskeyed on next boot.) -Palan Annamalai Researcher, VTLAN, Virginia Tech. palan-AT-myrealbox.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
