Simple security flaw poses threat to XP

By Patrick Gray
17 February 2003 02:50 PM
Tags: security, windows, xp, gray, adminstrator, patrick, attack, physical
A simple security flaw in the Windows XP operating system allows attackers with physical access to a Windows XP machine to obtain unrestricted administrator privileges by using the Windows 2000 Recovery Console utility.

The attacker simply puts the Windows 2000 CD into the drive and boots up the target system with it. When prompted, they select the recovery console option and immediately gain access to a command prompt without being queried for a password.

The attacker can then read and write data to and from the hard disk, including administrator data.

Although the flaw relies on physical access to be exploited, it is sure to cause headaches with network administrators enforcing a "user accounts only" policy in a corporate environment.

It has always been possible for attackers with physical access to a system, especially one with a bootable CD-ROM, to compromise it with relative ease by using other bootable CD's such as BiatchUX, the popular Linux based forensic recovery tool. However the ease of exploitation of this glitch is sure to cause concern among system administrators.

Security consultant Daniel Lewkovitz says administrators can minimize their exposure to these types of "physical access" vulnerabilities by taking a few simple measures.

"Any physical access to a machine gives a would-be attacker access to data such as passwords, and allows them to use bootable floppies or CDs," he said.

"All of these vulnerabilities can be reduced by strongly controlling physical access to the machine. Floppy drive locks and locking rack cabinets are a good start," he said.

He says that disabling the boot function on CD-ROMs and setting a BIOS password makes it much more difficult for attackers to exploit this vulnerability, but does stress that an attacker with physical access to a machine has many methods of attack available to them.

Windows 2000 is not affected by this issue.

Advertisement

Print feature brought to you by Adobe

Talkback 5 comments

    Talk about overkill by the med ...Paul Snedden -- 17/02/03

    Talk about overkill by the media. So what if a "hacker" can boot up a WinXP box with a Win2k recovery console. Isn't that the "hacker" got physical access to the machine in the first place FAR more important?

    While Paul Sneddon's comments ...Anonymous -- 18/02/03

    While Paul Sneddon's comments may have merit in some theoretical locations, they seem a little niave in the "real world".

    Many networks have (and must have) accessible PCs for the simple operation of the business of the location. To ensure adequate protection against being tampered with (such as the installation of password capture programs, etc.), they rely on the security of the login.

    What is startling in this case is not that it is possible to access the machine through a boot medium (hey - no surprise there) but that a Microsoft operating system rescue facility provides access without any request for password.

    Why do you need W2K recovery C ...Anonymous -- 18/02/03

    Why do you need W2K recovery CD? You can use one of the many Linux-based system-on-a-floppy or system-on-a-CD systems to do the same thing. (They all will mount pretty well any filesystem, including NTFS, FAT or Apple's HPFS). Or if you have a screw driver you can take the hard-disk and mount it as a 2nd drive on any other computer that you have nady. Short of encrypting the data, having unsecured physical access to the system or storage device always is going to leave your data vulnerable.

    Move along....there is no news here.

    While Paul Adams' comments may ...Anonymous -- 18/02/03

    While Paul Adams' comments may have some neglegible impact in his fantasy "real-world", the truth is that the only way to secure data on a computer system is use encrytion for sensitive data (either on a per-file or file system level), or by securing access to that machine. No matter what you do, physical access to a machine will always make the task of compromising that system so much easier. This security flaw is laughable to say the least.

    Schools have always had a prob ...Anonymous -- 18/02/03

    Schools have always had a problem with things like this. One of the best solutions I have seen is to use a "Zero" card in the PC. As soon as the PC is rebooted things go back to the way they were origionaly.

    You can use any boot CD you want, so far I have never seen anyone break it without physically altering the machine.

    We used to use PC lockout too which was really good when things were DOS based, but lacked strength and usability when things became Windows 95+ based.

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Chris Duckett Get extensions going in Firefox, redux
    Previously on Null Pointer we looked at getting extensions working in Firefox betas, and that was great until the fine folks at Firefox changed their minds.
  • Array How reliable is IP telephony?
    Have you ever heard a weird kind of hissing, crackling or popping noise when calling someone on an IP telephony line? How rare is the phenomenon these days?
  • Array Forget the NBN, 100Mbps is already here
    Telstra and TransACT will shortly begin offering 100Mbps broadband to many customers. By moving early, the companies have not only raised the bar for Australia's broadband services, but thrown down a challenge to a government that now faces increased pressure to deliver the NBN as promised.
  • More blogs »

Tags

  1. 490 articles are tagged with 3g
  2. 42 articles are tagged with afact
  3. 83 articles are tagged with asic
  4. 141 articles are tagged with ato
  5. 1306 articles are tagged with broadband
  6. 69 articles are tagged with cba
  7. 14 articles are tagged with cenitex
  8. 671 articles are tagged with cio
  9. 254 articles are tagged with conroy
  10. 132 articles are tagged with contract
  11. 47 articles are tagged with david thodey
  12. 515 articles are tagged with dell
  13. 156 articles are tagged with exchange
  14. 152 articles are tagged with firewall
  15. 53 articles are tagged with gnome
  16. 1038 articles are tagged with government
  17. 22 articles are tagged with hfc
  18. 790 articles are tagged with hp
  19. 1306 articles are tagged with ibm
  20. 223 articles are tagged with iinet
  21. 352 articles are tagged with iphone
  22. 289 articles are tagged with isp
  23. 7 articles are tagged with jodee rich
  24. 35 articles are tagged with michael malone
  25. 1484 articles are tagged with microsoft
  26. 35 articles are tagged with mike quigley
  27. 52 articles are tagged with minchin
  28. 1127 articles are tagged with mobile
  29. 218 articles are tagged with national broadband network
  30. 397 articles are tagged with nbn
  31. 201 articles are tagged with new zealand
  32. 196 articles are tagged with nsw
  33. 61 articles are tagged with one.tel
  34. 885 articles are tagged with optus
  35. 20 articles are tagged with pipe networks
  36. 172 articles are tagged with queensland
  37. 2652 articles are tagged with security
  38. 53 articles are tagged with senate
  39. 70 articles are tagged with separation
  40. 9 articles are tagged with sp telemedia
  41. 656 articles are tagged with sun
  42. 177 articles are tagged with sydney
  43. 232 articles are tagged with telco
  44. 61 articles are tagged with telecom nz
  45. 2445 articles are tagged with telstra
  46. 138 articles are tagged with tender
  47. 25 articles are tagged with thodey
  48. 31 articles are tagged with tpg
  49. 177 articles are tagged with victoria
  50. 79 articles are tagged with wholesale

Back to top

Featured