From: Mnemonix [mnemonix@GLOBALNET.CO.UK] Sent: Tuesday, September 07, 1999 11:37 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: A real Windows 2000 Backdoor? There's been a lot of press recently about Windows 2000 backdoors such as the NSA key Crypto issue. I've been mulling over another "backdoor" for the past few days and the more I think about the more cynical I become. We has Windows 95, then were blessed with 98 and soon Windows 2000 Professional will be out and, according to some, is set to be the replacement for 98 and installed on a few million PCs around the world. In preparation for this, Microsoft has made security "invisible" to the future home user: during the install the installer is prompted for a Administrator password - which they set. The installer is also asked to supply the name of the person the product is to be registered to - for example "David Litchfield". If the machine is not going to be joined to a domain, and they never are in the case of a home user, Windows 2000 then silently takes this name and creates an ADMINISTRATIVE user out of it and does NOT set a password for this account. It then sets values in the Winlogon registry key to Autologon the user without having to go through the rigmarole of Control+Alt+Deleting. Thus security is made invisible. Now here comes the crunch - there's a Telnet Server installed on the system, though by default the service is not started. For the one person that doesn't know what a telnet server is on this mailing list, a telnet server is where a remote user can access the computer the telnet server is running on as if the are sat at that machine, typing commands at a Command Prompt. Big deal, some may say, - the service isn't started. Guess what - the service can be started remotely by an administrator using DCOM. All we need then is an Administrative UserID and password and we can start the telnet service and then log into and then run commands on it as if we were sat at the machine! That leaves the question of where do we get an admin userid and password from? Hey - maybe we could use the "David Litchfield" account. All we need to do to find out who is logged onto a particular machine is issue the following command from our machine: C:\>nbtstat -A IP_Address (since when does a PC home user on the 'Net deny NetBIOS based traffic to access their machine?) and we can get the name of the user currently logged on - for the home user it'll be the "David Litchfield" account. Great - Windows 2000 rooted in 3 seconds. If this were a back door though, I'm sure that no-one at the NSA, sorry I mean Microsoft, could be bothered trying IP addresses at random. What they need is another way to get the telnet service started. One way to do this is embed some VBScript in an HTML document (or e-mail): If an HTML document is opened with this script in it the telnet server will be silently launched - no warnings about dangerous ActiveX or anything. The user that just opened the document will have no idea that the telnet server has just been started. So this begs the question how do we get a million users to open up a document that had such code in it? Well, not that Microsoft would do it, but it would be _really_ easy to do if they wanted to by using the Windows Update service that keeps on telling you to update, so in the end you do just to shut the thing up and you whisked away to the Microsoft web site where there happens to be a load of HTML documents. Hmmm. So, hypothetically, if Microsoft wanted to they could embed this code in their Windows Update page and start the telnet server - and guess what they've just grabbed your IP address, too. All we're missing is the User ID now - but hey they could get that using nbtstat if they really wanted to. Even if this isn't a deliberate backdoor it is one, and shows "great" forward thinking by the 2000 project team. If MS don't use this door you can bet the script-kiddiez will be all over this one. Connect a Windows 2000 Professional machine to the Internet? No thanks. Cheers, David Litchfield http://www.arca.com http://www.infowar.co.uk/mnemonix/