[NTsecurity][Image][Products][Image][Services][Image][Partners][Image] [Company][Image][News] The RedButton Announcement [Image] Description [Image] Security Threat [Image] The RedButton [Image] Solution [Image] April 18 1997 --------------------------------------------------------------------------- [Image] Announcement NTsecurity.com ( Midwestern Commerce, Inc.) has discovered a security flaw ("RedButton Bug") in Microsoft Windows NT v 3.5x, 4.0 that affects the majority of NT based networks. NTsecurity.com has created a software utility called "RedButton" that demonstrates the risks associated with this security problem. [Image] Description It is explicitly stated by Microsoft ( KB Article ID: Q103390) and accepted by the NT user community that in order to access resources on an NT computer a remote user should go through a logon process and either: - present a valid User Name and a Password or - logon as Guest if the guest account is enabled The Guest account presents a security threat and according to Microsoft ( KB Article ID: Q101232) should be disabled in order to enhance security. These security threats are well documented. There is also a misunderstanding in NT User's community about the role of a built-in Everyone group. Even though it is not explicitly stated by Microsoft (the opposite is not stated or documented either), there is a belief that Everyone is an identifier that includes only all legal users on a given computer or a given NT domain. This is not true. In fact, Everyone group includes any user from anywhere. Everyone is everyone. NTsecurity.com has discovered a flaw in Windows NT security that allows a user to logon remotely and gain the same set of rights and access the same resources as the Everyone group, regardless of whether the Guest account is disabled or not. In other words, anyone who has networked access to the target computer can logon remotely without presenting a User Name and Password. [Image] Security Threat To show the extent of the vulnerability, consider two of the most common exploits. 1. Any Default Installation of Windows NT Workstation (v 3.51, 4.0) is vulnerable: - the flaw allows the creation of a new entry in the registry which describes a new drive share with access granted to Everyone. - a potential intruder can then wait for the system to reboot - after reboot the new share is published on the network to Everyone. By sharing system drive one can obtain a copy of a password file updated by rdisk -s from the %SYSTEMROOT%\Repair directory, etc. 2. Any Default Installation of Windows NT Server or Workstation (v 4.0) is vulnerable: - the flaw allows the creation of a new entry in the registry which describes a reference to a Trojan horse program located on the intruder's computer e.g. \\xxx.xxx.xxx.xxx\Share\Smth.exe - potential intruder can then wait for an interactive logon - after the user logs on to the server the Trojan horse program is executed. Obviously, the Trojan horse program could do about anything if the logged user is an Administrator. The Trojan can create a share (see above) if the logged user has guest or ordinary user privileges. [Image] The RedButton In order to expose the flaw and demonstrate these potential vulnerabilities, NTsecurity.com created a program tool called RedButton. When executed, RedButton exploits the flaw and does the following: * logs on remotely to a Target computer without presenting any User Name and Password * shows that unauthorized access to sensitive information stored in file system and registry available to Everyone group can be obtained. * determines the current name of Built -in Administrator account (thus demonstrating that it is useless to rename it) * reads several registry entries (i.e. it displays the name of Registered Owner) * lists all shares (including the hidden ones) * shows that identifier Everyone includes not only legitimate users of the network but everyone. RedButton is not an intruder's tool, and it does not increase any security risks or vulnerability. However, it demonstrates how a potential intruder can exploit an NT system. Additional information can be found at RedButton Frequently Asked Questions [Image] Solution NT predefined group Everyone must be replaced in all rights and permissions with a new group, e.g Every User that should include all network legitimate groups and users. Permissions must be changed for all registry keys and file system and propagated through entire registry key and directory tree for all directories, drives on all NT computers. There is no 100% solution for the discovered security flaw at the moment, however replacing Everyone will solve most of the problems. Obviously, security threat from Internet attacks can be stopped by firewalls and similar techniques, LAN attacks especially in large distributed organizations will remain possible. Again, replacing Everyone will protect network effectively from inside and outside. Everyone must be replace regardless of other security measures. NTsecurity.com believes that Windows NT Registry is the most vulnerable part of NT security, and has developed tools like RegAdmin to properly handle Permissions of an NT registry. The risks presented by this "RedButton bug" can be minimized substantially by using this tool. File System must be protected the same way as registry by replacing Everyone group. Please send questions to ntsecurity@box.omna.com or contact MWC at 614-263-0662 See Also RedButton Description Download RedButton RedButton Frequently Asked Questions Windows NT Security Issues: Practical recommendations for securing File System and Registry This page will be updated. --------------------------------------------------------------------------- NTsecurity.comTM is a network security division of Midwestern Commerce, Inc. 1601 West.Fifth Avenue Suite 207 Columbus OH 43212 USA Tel 614-263-0662 Fax 614-263-0663 Copyright © 1993-97 MWC