The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Blank Administrator Password on OEM Windows XP Installation
------------------------------------------------------------------------
SUMMARY
DELL OEM XP Processional has a default hidden administrator account, with
no password set. Use of this account will allow anyone with physical
access to the computer to fully control the computer, add spyware,
keystroke loggers, password stealing software and read all files,
including temp files, local files, documents, and any email that has been
stored locally.
DETAILS
Vulnerable Systems:
* DELL Laptops with pre installed Microsoft Windows XP Professional SP2
Immune Systems:
* DELL Laptops with Retail Microsoft Windows XP professional, RTM, SP1
and SP2
A retail setup implementation of Microsoft Windows XP Professional
Edition, "Out-of-Box Experience" (OOBE), requires that the installer be
given the option to add an Administrator account. During the installation,
the XP Installer states : "You must provide a name and an Administrator
password for your computer. Setup creates a user account called
Administrator. You use this account when you need full access to your
computer." While setup will not require that a password actually be
entered, it does stress that one SHOULD be entered. Additionally, the user
is prompted to create a regular user account for general use.
In contrast, the DELL setup implementation of Microsoft Windows XP
Professional Edition does not include such steps. The existence of an
administrator account is never mentioned. Instead, the setup asks: "Who
will use this computer? Type the name of each person who will use this
computer. Windows will create a separate user account for each person so
you can personalize the way you want Windows to organize and display
information, protect your files and computer settings, and customize the
desktop. These names will appear on the Welcome screen in alphabetical
order. When you start Windows, simply click your name on the Welcome
screen to begin. If you want to set passwords and limit permissions for
each user, or add more user accounts after you finish setting up Windows,
just click CONTROL PANEL in the START menu, and then click USER ACCOUNTS."
By default, none of the accounts added in this step have passwords. Nor is
their an option to set passwords during the install. While this is not
unique to the IBM install, it is a known weakness in the Windows XP OOBE,
including retail and OEM versions. Because the Administrator account was
never requested, this leaves the system in a very vulnerable state.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>
CAN-1999-0504
ADDITIONAL INFORMATION
The information has been provided by <mailto:scheidell@secnap.net>
Michael Scheidell.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
