Windows recovery loophole lets hackers in

I never thought I#d do it...

Although a Unix fan, I have to say, so what?

With any user permission based file system that isn't encrypted, this is always a likelihood. It's up to administrators to make the machine physically secure, including making booting from external media a no go.

Linux, OpenBSD and various others that I have used are all open to this attack. What next, car windows are vulnerable to hammer blows?

F8? Why?

Double ctrl-alt-del in Normal Mode also does the trick ... it will spit out the traditional user/password prompt. Just type in Administrator with password blank and you can get in! (That's for XP Home)

Funny thing, it seems like Vista also leaves Administrator blank ...

er - u call this news? every os has this "feature"

Local drives are always available locally to any OS if booting from a different Drve. I welcome the addition of a proper CLI on the installer...

It ain't a bug.. if your physical machine isnt' secure then it's asking 4 trouble

this existis in Mac OS X, Linux etc...one just needs to lock bios/EFI/Open Firmware from allowing alternate boot drives..

If I was MS I'd ignore it too

Too many supposed vulnerabilities start with "all you need is admin access/local access at time of boot".

Is it a vulnerability that anyone can boot disk 1 of redhat/CentOS, type "linux rescue" and access the file system as root? I don't think so. The only way to protect local data from this sort of access is to use full-disk encryption.

Password access to the rescue console is no protection, just a hindrance.

This is NOT new, nor is it news.

<This is not news>

This same "exploit" has existed for years.

Windows Vista's setup is based upon Windows PE. Windows PE has always run as System, and presented a command prompt as its primary user interface.

This same "exploit" can be done easily with any copy of Windows PE, with a side-by-side installation of Windows, or a linux boot CD with NTFS capability. Note that what the original author suggests (insofar as any authentication done within Windows PE) would be a courtesy here, and since linux boot CD's wouldn't bother to do the same, would be a bizarre "courtesy", much as the innane, and much hated administrator login requirement for the Recovery Console (in earlier versions of Windows) was (consult documentation for Windows 2000, XP, or Server 2003 if you aren't familiar with it).

For more info, see Law #3 here: http://microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

As I've said in numerous articles and speeches, the way to secure systems against any type of attack like this is physical security and/or full-volume encryption.

</This is not news>

This is NOT an error

Short of disk-level encryption, or similar HDD scrambling schemes, you really can't prevent this if you give the attacker physical access to the hardware. You can remove the HDD, you can boot systems like Linux, you can zero CMOS memory to bypass power-up passwords, all sorts of ways. You can't hold the OS responsible until it's booted (and the install version is not the full OS).

local access?

Gr8!!

So not likely to see any mass infections in this century from that one then, not unless we cross sploit.

Dude, bro, madam... So yet another local exploit is uncovered, not exactly newsworthy or *shudders* TERRIFYING is it?

No doubt my old ZX Spec is exploitable, given a pair of knickers and a bra, you would find it walking the streets chatting up young Commodors.. However, to report every little bug available in an O/S starts to get tiresome at some point, at least, it does when you find it makes it into every fucking article on the net. Keep this shit to exploitzRus and not here ta, just cause there's a hole in my coffee cup dont mean some fuckers gonna rob me.

BIOS password

As several have pointed ouit, it's easy to compromise a system if you can get it to boot off an alternate media (CD, DVD, Flash etc.). If this is a concern, the obvious thing to do (assuming the PC supports it) is to disable booting from alternate media in the BIOS and then password protect the BIOS. It still won't stop a determined individual (open the box, reset the BIOS) but will slow them down and make "casual" access harder.

Recovery Consoles

This is an old trick with XP. Just boot the PC up with a Windows 2000 install disk. And use the recovery console there. (Have not yet tried this with Vista... but I expect it still works. heheh)

Not only does this give you access to a DOS prompt for XP, but ignores any admin password, and gives FULL access to the WHOLE disk.

I have been using this trick for so long to run chkdsk or kill a dodgy virus, that I was surprised to find that the recovery console using an XP disk _didn't_ allow access to the whole machine. LoL.

(I _had_ to use this trick on the "before SP1" XP systems.... their recovery consoles were broken and wouldn't allow _any_ access, even if the correct password was used... LoL)

Not really a security problem. If the "hacker" is in front of your PC, then your security features have broken down a bit far..... physical access to a machine always allows someone to quietly boot the PC with a Linux CD and copy anything at their leisure using the GUI and a nice DVD Writer/Flash Drive. :)

I'm glad . .

I'm glad someone found at least one good use for a Vista install DVD.

This isn't news

As other people have said this method has been around since windows 2k and how much damage has it done? none thats been reported.

What use is this method? anyone with an ounce of common sense don't keep important data on client machines, unless someone managed to get physical access to a server the only problem that can arise is the admin will have to send one of his minions to reinstall the OS.

If someone broke into my house I serously doubt they'd come armed with a Windows Vista DVD

err...

This is a problem on all local (ie non terminal based) systems, this is one of the reasons that many companies are electing to run terminal servers - you stick your servers in a physically secured room.

ANY computer/OS can be compromised (encrypted file systems not withstanding) if you have local access and a bunch of tools. With the possilbe exception of Z/OS et al, although I can't think of a Z server that isn't in a highly secured data centre.

Nothing to see here, move along please...

Good use for Vista DVD

Just one good use? there are thousands!

For use as a coaster,

Making indoor fireworks in a microwave,

Cutting into shurikens and attacking (L)users...

The list is endless!

P.S.

Not an informed comment? Fair enough, but this wasn't an informed article!

Stolen = physical access

Yeah, I can get physical access by stealing your machine. But I've stepped away from that by installing a NAS with all my critical information on it. It quietly sits under my desk, out of the way.

All my tax stuff is on a USB key that's locked up in my safe.

No new news?

As an orginal source of this article, I'd like to point out few things:

- there are millions of installation dvd's available, even typical end-user can now misuse it, you don't have to use Google to find suitable software, download it (and/or included trojan) and learn how to use it

- as mentioned, you can use WinPE to boot into cmd even without any mouse clicks, but typical end user doesn't know what are terms like WAIK, WinPE, ISO-disk etc. Also, shift + F10 in Vista setup - plenty to choose from.

- the only *real* solution is of course HD encryption / tight physical security, but why there are so many computers without encryption? Why there are so few TPM-ready desktops available? Who would like to save certificates into usb-memory? Why Windows Server 2008 includes BitLocker in every version but not in Vista Business for example? Encryption isn't that easy.

====

Of course this was not a news for security professionals, but this is a news for ordinary non security IT-professionals and end users. They don't understand, how easy it is crack into their system where they save their confidential information, and now it's even a little bit easerier, tnx to this installation-DVD.

lost potential for a flame war

Oh come on chaps - this 'nothing to see here' attitude really won't do.

This is a wondrous opportunity for a bunch of us to slag MS, and big up other systems on which the issue is virtually identical, have MS fanchaps come back pointing this out, and then gradually drift away from rational discourse into 'my memory chip is bigger than yours, and anyway you've got a bad BIOS' territory.

I've never seen a flamewar on el Reg, and with fodder like this being ignored I think I may never do so. At this rate I'm going to head back to slashdot for my tech 'news'.

You should all be ashamed of your rational sensible viewpoints on this matter.

Flame on!!1!!ONE!!!

Yes, well, you haven't been following the Safari news then...

(From a *nix geek) Thank you MS! No, seriously.

Thank the maker! This Admin-Pass work around CD is going to feel sooo goood!

Seriously, I cannot count the number of times I have had to work on a clients computer (private sector PC repair) and they have no idea what their password is. Usually I take out their hard drive and mount it in the test box at work, but this is the same difference. BitLocker scares me from a repair point of view. Once the TPM is common place, how many people will enable full disk encryption with out realizing they have just made restoring data from a hosed system (especially if the MoBo is fried via a surge) very costly and difficult? I am glad the option is lacking on most vista installs, at least until the common user understands just what they are getting themselves into.

what next...?

physical access to any bit of kit allows u to follow the manufs repair instructions

if it was remotely exploitable then it might be intresting, but so what if with the install cd u can access the hdd as root, would make installing/reinstalling a bit bloody difficult if it couldnt.

end of the day if they got physical access they dont need to hack just bypass

(possibly one of the few things the ccna course i did got right, was teach the dangers of physical access, any wonder its a part of ccna 1, to recover and reset passwords from cisco routers?)

There's worse in NT 4.0

I found a Windows NT 4.0 SP6 PDC/fileserver at a customer site the other day, and no one knew any of the passwords to it (sigh...) so grabbing at straws, I clicked on the usrmgr.exe ( I have them on my keychain/USB ) using an WinXP media center PC on the same LAN ... not only was I able to select and view the users on its domain **without being authenticated**, but I was able to reset the administrator account password as well.

When someone mentions windows and security in the same breath or paragraph, its because they are telling a joke.

the old windows security arguement

Is it a 10" steel vault door on a cardboard box..

or is the vault door cardboard too ?

equipped with intent to steal

"If someone broke into my house I serously doubt they'd come armed with a Windows Vista DVD"

This one made me laugh out loud...seeing how we have the "equipped with intent to steal" law here in England, do you think we can now be arrested for carrying a vista install DVD around?

I'm having mental images of geeks getting arrested at gun point for carrying thier cd wallets...

Un-news-worthy non-issue, but encrypt your data people!

I agree that this is pretty much a non-issue - physical access to a machine means it is compromised; that's why business systems are (should be) physically secured.

However, this article does highlight the need for people to safegaurd their personal data. If burglar Bill nicks your home PC, then he has access to any personal info on it. Perhaps you have bank account details stored in saved emails, login ids and passwords, portfolio details, whatever. Even not, would you like him looking thru your holiday pics or saucy pics of your missus - you know that's why you got that digital camera really ;)

Virtual encrypted disk software is readily available for all platforms for free - eg: Truecrypt, and probably others. USE IT PEOPLE!

Also, back up your data - DVD burners are cheap too!

Thus, if you're unfortunate enough to have your PC stolen, you don't need to worry about your data being access, and can buy a new and put it all back.

This is not a vulnerability

every OS has this feature, i love to bash microsoft when they deserve it but this is just gettign silly

OSX, BSD, LInux all have this same feature, if sombody can gain physical access to you server then your in trouble anyway as it would be far easier for them to switch it off or just steal the hard disk or take a sledge hammer to the server, being able to log on as root is the least of you worries

This is not a vulnerability

every OS has this feature, i love to bash microsoft when they deserve it but this is just gettign silly

OSX, BSD, LInux all have this same feature, if sombody can gain physical access to you server then your in trouble anyway as it would be far easier for them to switch it off or just steal the hard disk or take a sledge hammer to the server, being able to log on as root is the least of you worries

Local Access

Well, if they've got local access, what is a crook likely to do - hack into my computer, or just take it? Why bother getting all clever with an install DVD, when you can just take it away and examine it at your leisure - assuming you even want the data on it?

If there is sensitive data on the drive, then you need to keep the computer in a secure location anyway. If it isn't physically secure, a burglar with an install DVD is the least of your troubles.

BTW, this "exploit" is possible with all manner of OS's, including Linux. I don't see what the problem is, nor why this is considered an exploit.

Tsk

Indeed, if you boot a Solaris install disk in single-user mode it'll also give you root access without a password. In fact this is the official way to recover lost root passwords. Likewise, Linux too can be booted with a kernel parameter that gives you a root shell with no password required. You don't even need a CD on many boxes, I don't recall anyone making a big fuss over that.

Besides, if an attacker has physical access to the machine, all bets are off anyway. That's not really Microsoft's fault.

Shame on you for falling for this one, John.