AUSCERT External Security Bulletin Redistribution
        ESB-97.043 -- CIAC H-45 Windows NT SAM permission Vulnerability
                              11 April 1997


CIAC has released the following advisory concerning a security
vulnerability with the default file permissions on some Registry files
and Administrator account rights under Windows NT. This vulnerability may
allow remote users to gain administrator privileges.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for CIAC is included in the Security Bulletin below.
If you have any questions or need further information, please contact them

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___

                             INFORMATION BULLETIN

                    Windows NT SAM permission Vulnerability

April 9, 1997 14:00 GMT                                            Number H-45
PROBLEM:       Windows NT default file permissions on some Registry files and
               Administrator account rights create a vulnerability.
PLATFORM:      Windows NT (all versions up through 4.0)
DAMAGE:        Exploitation may allow remote users to gain Administrator
SOLUTION:      Follow the guidelines outlined below. Maintain as a standard
               security policy.
VULNERABILITY  Exploit instructions and code are publicly available.


Windows NT stores user information in the Security accounts Manager (SAM)
database.  Specifically, encrypted passwords are stored in the SAM._ file
of the NT Registry, in the systemroot directory (The NT Resgistry is a
database of information replacing the .ini files used in the Windows 3.X
environment).  Passwords are encrypted by a two part process when stored in
the NT registry.  First, passwords are hashed using the RSA MD4 scheme,
then they are further obfuscated using DES encryption.  Typically, access
to the NT Registry is limited to the Administrator account.  However, a
back-up copy of the SAM._ file is normally created whenever the Emergency
Repair Disk is updated and is stored in %systemroot%
epairSAM._.  The
group "Everyone" has Read permission by default on this back-up copy of
SAM._.  As a result, "Everyone" has the potential to obtain or copy the
encrypted password file.

A utility which unscrambles the obfuscation scheme, revealing the MD4
hashed password, has been released on the Internet.  The resulting RSA MD4
hashed password, along with a valid user-id, can be used to log in to an
account, without the plain-text password.  If the hashed password is
deliberately placed on another machine, the information could provide a
valid value to be used in the challenge-response authentication used with
the original NT resource where the hashed information came from.  In short,
an intruder could use the information remotely to gain unauthorized access
to the NT resource.

A second possibility is that the clear-text password could be determined if
the hashed passwords are run through a password cracker. Along with a valid
user-id, an intruder could gain unauthroized access.

Configuration and Usage Guidelines

Although this vulnerability presents a serious threat, appropriate security
policy regarding configuration of NT workstations can mitigate this type of
attack.  CIAC recommends the following five configuration controls:

1.  Disallow Remote Administrator capabilities

Configure the Administrator and Administrator Group accounts so that access
from the network is disallowed, allowing only direct console access for
Administrators. This can be accomplished through the User Manager, Policies
menu selection.  This eliminates attempts to remotely log in as the
Administrator.  Physical access to the server console would be necessary to
conduct any administrative functions.  In addition, users should work with
the least privileges necessary to accomplish their work.  Administrators
should not use Administrator accounts for non-administrative work.

2.  Rename the Administrator account

The Administrator account should be renamed to something other than
Administrator to deter the casual "outsider" looking for generically named
accounts to compromise.

3.  Change the permissions on WINNT/repair/SAM._

The default permissions allow Full Control for Administrator and SYSTEM,
Read for Everyone, and Change for Power Users.  The permissions should be
set so that no users or groups, including Administrator, have any rights to
this file.  The Administrator still has the authority to change these
rights if access is required to the file.  If the Emergency Repair Disk
needs to be updated, the Administrator can temporarily change the
permissions to change the file.  When the Emergency Repair Disk is
completed, the Administrator should change the permissions back to no rights.

4.  Audit Administrator account activities and Registry changes

Auditing will enable detection if a potential intruder is launching this
attack.  Since this attack requires the Administrator account privileges,
the intruder will most likely try to log in as Administrator.  Therefore,
the "logon and logoff" failure should be enabled for the Administrator
account. In addition,  auditing should be enabled for any changes in
permissions or modifications to the SAM.  An alert can be set to notify the
Administrator if and when any of these events occur.

5.  Choose passwords at least 8 characters long that cannot be
    found in any dictionary

As with any operating system, passwords are a common target.  This attack
partially unscrambles the encrypted password, then attempts to obtain a
clear-text password through a dictionary password cracking utility.  To
prevent this from succeeding, passwords should be a combination of letters,
numbers and characters, at least 8 characters long and "nonsensical".  A
good password is especially important on the Administrator account.  Since
the Administrator account cannot be locked out, a potential intruder can
guess passwords, or run a password cracking utility.  A good method for
choosing passwords is to develop a phrase and take the first letter of each
word.  For example, "Security is 4 the good of all !" could result in the
password, "S i 4 t g o a !".

Through limiting the Administrator account and privileges granted to other
user accounts, as well as enabling the described auditing, the
administrator can mitigate this attack.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-34: Vulnerability in innd
H-35: HP-UX vgdisplay command Vulnerability
H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
H-37: Solaris 2.x passwd buffer Overrun Vulnerability
H-38A: Internet Explorer 3.x Vulnerabilities
H-39: SGI IRIX fsdump Vulnerability
H-40: DIGITAL Security Vulnerabilities (DoP, delta-time)
H-41: Solaris 2.x eject Buffer Overrun Vulnerability
H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability

Version: 2.6.1
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key