Michael,
Windows XP home edition hides the administrator account and disables access
to it entirely even from a manual login unless you are in safe mode. This
seems to be the most likely explaination of this "hidden" admin account.
Regards,
Larry
----- Original Message -----
From: "Michael Wilson, Contractor" <mwwilson@navo.hpc.mil>
To: "Chris Norton" <kicktd_list@hotmail.com>; "Michael Scheidell"
<scheidell@secnap.net>; <bugtraq@securityfocus.com>;
<vulnwatch@vulnwatch.org>; <full-disclosure@lists.netsys.com>
Cc: <vuln@security-corporation.com>; <security-alert@austin.ibm.com>;
<cert@us.ibm.com>
Sent: Friday, September 17, 2004 3:08 PM
Subject: RE: Vulnerability in IBM Windows XP: default hidden Administrator
account allows local Administrator access
Negative.
In previous versions of Windows (NT core), the install would allow you to
simply strike <enter> at the appropriate time, when being queried for an
administrator password, and voila -> the administrative password would be
blank.
Windows XP manual install will ask if you are sure, while warning of the
implications, and if you insist it disallows network access to the
administrator account to limit WAN or LAN hacking. I was working IA at a
major university when this, administrator account logins checking for
blank
or the password "password", became quite a problem. The response would
often be, "I forgot to reset after the install!" I pushed a domain policy
denying access to the local administrator password from the network,
regardless of what the password was.
Windows has instituted the same by default, thereby limiting this exploit
to
a console login, if the password hash = blank hash.
It is most likely the Vendor Install Customization that has caused this
issue, as true enough, most vendor installs force you to pick an
administrator password before using the system. If the account is hidden,
then it is definitely IBM's doing as I have never seen a Windows install
where the administrator account could not be seen under the accounts tab.
Thank you,
Michael Wilson CISSP (Contractor)
Lockheed Martin Space Operations
Computer Security Specialist
NAVO-MSRC
mwwilson@navo.hpc.mil
228-688-4393
-----Original Message-----
From: Chris Norton [mailto:kicktd_list@hotmail.com]
Sent: Friday, September 17, 2004 10:59 AM
To: Michael Scheidell; bugtraq@securityfocus.com;
vulnwatch@vulnwatch.org; full-disclosure@lists.netsys.com
Cc: vuln@security-corporation.com; security-alert@austin.ibm.com;
cert@us.ibm.com
Subject: Re: Vulnerability in IBM Windows XP: default hidden
Administrator account allows local Administrator access
This "hidden" Administrator account is part of Windows XP and NOT IBM's
porblem.
Every Windows XP system ships and installs with the Administrator and
blank
password.
This "hidden" account has been known about for some time, just like
Windows
2000
Administrator account is the same way. There are ways to disable or change
the
Administrator name and password or to disable the account completely.
--
Chris Norton
UAT Student Software Engineering Network Defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
