Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
BID:1198
Info
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
| Bugtraq ID: | 1198 |
| Class: | Configuration Error |
| CVE: |
CVE-2000-0420 |
| Remote: | No |
| Local: | Yes |
| Published: | May 11 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Discovered by Internet Security Systems and publicized in ISS SAVANT Advisory 00/26 on May 11, 2000. |
| Vulnerable: |
Microsoft Windows 2000 Terminal Services Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
The default configuration of SYSKEY allows any local user to decrypt data encrypted with the Encrypted File System (EFS).
A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the system is booted with a different operating system. Upon reboot, a new SAM database is created with the Administrator account having a blank password. A malicious user can now login as Administrator and decrypt data if the recovery key resides on the system.
The default mode SYSKEY operates in is to 'Store Startup Key Locally'. Under this mode, Windows 2000 will generate a random 128-bit system key and store it in the registry under HKLM/SYSTEM. Running SYSKEY in this mode will leave the system vulnerable to the exploit mentioned above.
In addition, a tool called 'ntpasswd' is available which can reset the password of any local user account, including the administrator account, by modifying password hashes in the SAM database. A local user can use this tool to login as Administrator (who is the default data recovery agent in the EFS) and from there, decrypt data using the EFS.
Domain-based accounts are not affected by this vulnerability.
The default configuration of SYSKEY allows any local user to decrypt data encrypted with the Encrypted File System (EFS).
A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the system is booted with a different operating system. Upon reboot, a new SAM database is created with the Administrator account having a blank password. A malicious user can now login as Administrator and decrypt data if the recovery key resides on the system.
The default mode SYSKEY operates in is to 'Store Startup Key Locally'. Under this mode, Windows 2000 will generate a random 128-bit system key and store it in the registry under HKLM/SYSTEM. Running SYSKEY in this mode will leave the system vulnerable to the exploit mentioned above.
In addition, a tool called 'ntpasswd' is available which can reset the password of any local user account, including the administrator account, by modifying password hashes in the SAM database. A local user can use this tool to login as Administrator (who is the default data recovery agent in the EFS) and from there, decrypt data using the EFS.
Domain-based accounts are not affected by this vulnerability.
Exploit / POC
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
see discussion
see discussion
Solution / Fix
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
References:
References:
- Offline NT Password & Registry Editor (Petter Nordahl-Hagen)