Forwarded by: Jonathan Rickman <jonathanat_private> http://www.newsbytes.com/news/01/169408.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 26 Aug 2001, 6:14 PM CST Exploiting a hole in Windows 2000, a hacker says he penetrated Microsoft's corporate network earlier this month and had full access to hundreds of the company's computers. The security breach, which took place over a six-day period beginning Aug. 12, involved a shopping server that was part of the Microsoft Network in Europe, as well as scores of workstations and servers located overseas, he says. A list of the vulnerable machines was provided to Newsbytes by the anonymous intruder, a self-proclaimed white-hat hacker who uses the nickname "Benign." Microsoft officials refused to comment on the incident, noting that the company does not confirm or deny whether an unauthorized intrusion into its network has occurred. But a security expert who reviewed specific details of the penetration said the break-in appeared realistic. "It looks plausible. He was brazen, but a bit impressive too," said Jeff Forristal, lead security developer at Neohapsis, a Chicago, Illinois-based network and security consulting firm. To breach one of the most heavily defended networks on the planet, the intruder says he did not exploit any known or new software bugs, nor did he use any special hacking tools. Instead, Benign claims to have virtually strolled into the systems' back door, using Windows 2000's TCP port 445, which is open by default to allow file sharing with remote systems. Benign said his entry was unimpeded by authentication; all of the computers had no password or used the word "password" for accessing the systems' administrative accounts. According to the intruder, who says he worked alone and doesn't belong to a hacking group, two insecure Windows 2000 (Win2K) systems on the periphery of Microsoft's network were used to gain entry to the company's firewalled corporate network. Besides being connected to the Internet, the vulnerable systems were "dual-homed" and linked to an intranet that was part of Microsoft's corporate network, said the man, who claimed to be a graduate student in his thirties. Although he had privileges to perform any operation he wished on the machines, Benign claimed he did not damage or even view files on them. "At times I feel like a kid in a candy store. I read reports of new ways to hack Windows and I roll my eyes. Why bother, when I have what seems like a field of powerful Win2K machines at my disposal, stretching as far as the eye can see?" he said. The list of vulnerable computers provided to Newsbytes included the IP address, machine name, workgroup, username, and password of more than 400 Microsoft systems on the internal Microsoft network. Among the workgroup names were "NT_DEV," "Redmond," "SouthAmerica," and "FarEast." Scott Culp, head of Microsoft's security response center, confirmed that Win2K does not require administrators to set a password when installing the software, although Microsoft advises them to pick a strong one. "None of this is a flaw in Windows 2000. The problem is the password, not the file sharing service. Any system that has a blank or easily guessable password is prone to compromise from a variety of avenues," said Culp, who noted that having port 445 open by default is appropriate because Win2K was designed for business users on a network. Earlier versions of Windows, however, ship with file sharing disabled. As a further precaution, most Internet service providers and corporations follow the advice of the SANS Institute and other security experts by firewalling access to port 139, the file sharing service used by Windows 9x and ME. Even Microsoft security specialists recognize that the new port introduced in Win2K can create a vulnerability. In a posting to a security mailing list in November of 1999, David LeBlanc, a security expert who is now part of Microsoft's network security group weighed the advantages and disadvantages of the new operating system compared to its predecessor, Windows NT. "In terms of what's worse, there are more ports to worry about - port 445 yields much of the same functionality as 139, so it is another port to block," he wrote. Such blocking strategies were born of necessity: Port 139 is perennially among the top-ten most attacked ports, according to Johannes Ullrich, operator of the intrusion statistics site Dshield.org. But few administrators cordon off the newer port 445. Fortunately, a small number of computer intruders rattle the door knob on port 445. Participating Dshield sites recorded only 42 scans to port 445 for the entire week just ended. Port 139, on the other hand, received several thousand scans per day. "Right now, port 445 is an under-utilized avenue for attack. It could be a disaster waiting to happen," said Greg Shipley, director of security consulting services for Neohapsis. Exactly why computer attackers have yet to pounce on port 445 is not clear, but one pragmatic issue may be at work: Using Server Message Block (SMB) protocol to communicate with the port is difficult unless an attacker is also running Win2K. Microsoft's Windows XP operating system, the successor to Win2K, also uses port 445 but is hardened out of the box against the sorts of attacks utilized by Benign against Microsoft. For example, if an administrator chooses a blank password, Windows XP will disable network file sharing, according to Culp. But the software, which shipped to PC manufacturers Friday, could prove to be a double-edged sword, giving malicious XP users a means to easily access the port on unprotected Win2K systems, according to Benign. Benign said he discovered the unlocked back entrance to Win2K last spring after installing the operating system on his PC. While sharing music and video files over the Internet with a friend, he was startled to find that he could log in as administrator on his pal's Win2K system without using a password. Curious, he used a popular network tool to scan a section of Internet address space for other systems with unlocked port 445s. He says his scanner quickly spooled out a list of tens of thousands of Win2K systems with the port unblocked, and of those, thousands had no password set. That so many Win2K machines on the Net lack basic password protection is no surprise to Steve Gibson, operator of Shields Up, a Web-based service which allows computer users to probe their systems for open ports. (Port 445 is currently not among those tested, but Gibson said he intends to add it soon.) According to Gibson, users often don't set passwords because they wrongly assume that passwords only control local log-ons to their machine. "In a single-user home or small office setting, where users don't perceive much danger of physical access by anyone else, passwords are seen as an unnecessary annoyance," said Gibson. Benign claims he reported many exposed Win2K machines this summer to their owners, which included two large Web hosting firms as well as an Internet radio broadcaster. But there were still thousands of Win2K systems connected to DSL and cable modem lines that could be commandeered by unauthorized outsiders over port 445. Thanks to a feature in Win2K known as anonymous enumeration, identifying powerful administrative accounts on an exposed system is easy, according to Benign. The capability, enabled by default, allows an unauthenticated remote user to obtain system information, including usernames and details, account policies, and share names. With the benefit of 20/20 hindsight, Microsoft released a security tool last week that advises Win2K operators to disable anonymous enumeration through a system-registry tweak. In Microsoft's current view, the issue represents a severe security exposure. On a whim earlier this month, Benign says he turned his scanner on Microsoft's network, beginning with Internet protocol addresses assigned to its main Web sites. The scan produced the two unprotected Win2k machines that provided his gateway into the corporation's intranet, he says. Benign said Microsoft recently secured the systems he used to access the firm's internal network. But he has offered to meet with company officials in person to explain his mode of entry on their and other companies' Win2K systems. The firm has not responded to his invitation. When Newsbytes contacted Microsoft for information about the intrusion, a company spokesman said, "Do you realize you are cavorting with a felon?" But Benign insists that he has done nothing unethical. "Microsoft obviously needs to educate customers and its own internal users about the problem. The world wouldn't have known about it unless somebody checked." Microsoft's information on Port 445 is at http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP . Neohapsis is at http://www.neohapsis.com . Shields Up is at http://www.grc.com . Dshield's statistics on port 445 probes is at http://www1.dshield.org/port_report.php?port=445 . The SANS Institute's list of the top ten security threats is at http://www.sans.org/topten.htm . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 05:54:13 PDT