WXPSP2 Security Issue

[fester]

http://www.pcwelt.de/know-how/extras/103039/

serious security issue in Windows XP SP2 and recommended fix (use google to translate german)

[DonK]

Here's the article quoted, and my response to it:

Quote:

"Windows XP Service Pack 2 with Advanced Security Technologies helps you protect your PC against viruses, hackers, and worms." - this is how Microsoft promotes its Service Pack 2 on its website. What the company does not say: Instead of viruses, worms, and hackers, the supposedly safe SP2 for Windows XP invites any Internet user to have a look around your PC.

As soon as you install SP2 on a Windows XP PC with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall. This also applies to all other services. The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN. Users of DSL services are also affected, if a firewall is not integrated into the DSL modem or a common modem instead of a DSL router is used. Additionally, Internet Connection Sharing of the PC has to be disabled.

A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight. Without great effort, we were able to discover private documents on easily accessible computers on the Internet. It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection.

sigh.... The first three paragraphs try to build it up like there's a huge hole within SP2, when there are big holes in their accusation to begin with.

1) The firewall *does* work. By default on the firewall, it blocks file and printer sharing PERIOD. If it's enabled, I have found that it is STILL hard to get to file and printer shares on a machine that is even on my local LAN, vs a dialup? pffft... Also, if you have the file and printer sharing enabled on your dialup connection, you're just ASKING to get hacked anyways. The firewall works.

2) They didn't bother spelling out exactly what this "certain configuration" was. I honestly don't believe that MS is full of total morons that they would let such an OBVIOUS hole loose without protecting it... The firewall does prevent file and printer sharing on a default dialup.

Quote:

Already Windows 95 affected by a similar problem

Experienced Windows users may remember that there was a similar problem in the past, specifically with Windows 95. Back then, Microsoft forgot to separate file and printer sharing from the dial-up network adapter when such a connection was configured.

In other words, this caused the service to be released worldwide through the dial-up connection as soon as you were connected to the Internet. Microsoft at that time issued an update to patch the bug. The fact that file and printer sharing since then is not connected to the dial-up connection anymore, can easily be seen on your system: Right-click on the symbol "My Network Places" and select "Properties". Repeat the right-click and selection with the icon of your dial-up connection and select the tab "Settings". If there is no check at "File and Printer Sharing", it indicates that this service should not be made available through your dial-up connection.

DUH! This was ten years ago! And on a separate operating system! Apples to Oranges here.... Plus, they proved my point: By default, file and printer sharing is not enabled on dialup.

Quote:

This in fact is true for Windows XP without Service Pack. Since SP1, this configuration is hardly more than cosmetics and does not serve any purpose anymore. This means, the file and printer sharing service is connected in general, also to the dial-up network adapter. This in itself is a serious bug, since your shared data potentially could be seen on the Internet. However, there are no catastrophic effects, as every dial-up connection is configured with an activated firewall by default.

If you intended to deactivate this firewall, Windows displayed an easily recognizable dialog, that this choice would allow access to your computer. Despite the bug in SP1, the configuration of the firewall was worked out in a clean way: You were able to run the dial-up connection with a firewall and the internal network card without, because the latter was supposed to enable access through the Windows network.

SP1 + SP2 leads to a catastrophic error

Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter.

At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

FALSE. This couldn't be more incorrect. First off... when you're using ICS you're still doing one thing: bridging/routing internet traffic to the local network through two adapters. You still have to "attack" your target from the outside interface! The outside adapter doesn't have file and printer sharing enabled, so NO IT WILL NOT be vulnerable to be browsed, EVEN with the firewall OFF. This is pure FUD!

Quote:

How to correct the problem

It is not advisable to keep this defective default configuration. However, the previous environment cannot be restored: The configuration for the firewall was changed, which does not allow the setting of active or inactive conditions or exceptions for each network adapter anymore. Now this only works for network areas.

Choose "Windows Firewall" in the in the Windows Control Panel and the there the tab "Exceptions". Select "File and Print Services" and click on "Edit". Now you can see four ports which are used by the file and print sharing service.

To lock the service to the outside and keep it open for the internal LAN, you have to individually select and change its area with the respective button. Our reader Yves Jerschov notified us of another bug: The value for the area set by default "Only for own network (Subnet)" only works, if the Internet Connection Sharing is activated. If this is not the case, your shared data are visible worldwide. This error can be corrected by choosing "User defined List" and entering the IP addresses that are supposed to have access - the IP addresses of your LAN. A whole range of an IP area can be entered as "192.168.x.0/255.255.255.0", if the respective addresses start with 192.168.x.

After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?

WRONG! Wrong wrong wrong. They're looking at this the wrong way, and revealing their true misunderstanding of how networks, windows itself, and firewalls really work. If this were really true, then you'd be hearing about this from more than just one site. The computer's firewall doesn't care what network you're on when it's enabled, it's only purpose at this point is to keep others from connecting to the machine's local interfaces!

It's akin to the old US liquor prohibition "speakeasy" days. You'd go to a door and knock, they'd slide that little peep door open and see who's out there and decided who to let in. Same thing with firewall, it has a door, and anything that doesn't come in with the right permissions/ports, is an enemy and shouldn't be let in. When you use ICS, you're still setting up that speakeasy door at the outer perimiter (your internet connection)!! Why do you think you have to enable firewall per interface? Because each interface is like a different door into the speakeasy!

Also, the Guest account on an XP SP2 machine is DISABLED BY DEFAULT on installation! HELLO!

To me, this is FUD. FUD FUD FUD. Their "security issue" really isn't an issue at all to most technical people (or people with even a clue), but more of an educational issue about a potential security issue which is an all too common misconfiguration.

This article is not entirely correct, because most users with a decent knowledge of Windows in general know that dialup connections by default shouldn't have file and printer sharing enabled. The built in firewall *does* stop it on the dialup adapter as well as lan. Also, if client for microsoft networks is disabled that also prevents file and printer sharing from working properly over the dialup adapter. Plus, they didn't document how they did it well enough to reproduce the "problem", and their results are questionable because their "scans" of machines on the internet were not even backed up with proof, screenshots, printouts, something to make it more legitimate than a script kiddie with a portscanner finding open sharing done by people without firewalls.

If you're on the internet using a broadband connection without going through a firewall device of some sort (read: cheap and accessible routers that cost less than 50 dollars now in a lot of cases) then you're just asking for things like RPC exploits and other "Blaster" type attacks. Dialup also has sharing routers, they've been around for years. The big security hole here is the user, not the OS.

You shouldn't even have a reason to have either service enabled on the dialup adapter unless you're going to be dialing into somewhere that requires it, and that's usually when you're dialing into a private/corporate network, not the Internet. All that dialup normally needs to work for most users is TCP/IP bound to an adapter.

Microsoft is not THAT stupid to let a "hole" like this out.

[fester]

RE: "1) The firewall *does* work. By default on the firewall, it blocks file and printer sharing PERIOD. If it's enabled, I have found that it is STILL hard to get to file and printer shares on a machine that is even on my local LAN, vs a dialup? pffft... Also, if you have the file and printer sharing enabled on your dialup connection, you're just ASKING to get hacked anyways. The firewall works."

I agree w/ you - Windows FW works... I think the German tech community likes to bash MS every chance they get. But I still dont understand why file and print sharing is enabled by default. I just disabled it. even if enabled, you think SP2 firewall still blocks?

[DonK]

It does. You have to go in and set the exception for file and printer sharing, that's why I was saying it's hard to get to a box with it on. I just installed a small via minitx system and tried to get to it with the firewall turned on, it wouldn't even let me to the shares when I set the file and printer sharing exception on.

I stand by my statement that Microsoft would not have let such a big glaring hole out... that's just insipidly stupid.

Here's the thing... their article (translated by google is kind of funny... "Windows service luggage 2") is relying on the fact that you'd have file and printer sharing enabled on the interface. They're also assuming without proof that even though it's not enabled on your dialup adapter, that it's still accessible through the dialup connection.

This is laughable, then what's the point of removing File and Printer Sharing from the dialup adapter?

Here's the rub:
With SP2 they divorced the firewall from individual connections, and made it "global" for networking in general. What they DID do was (as outlined in the original article) allow for telling the firewall what exceptions you can set, and further into the settings they made it where you can configure the *scope* that this firewall applies to. So, they made it where it looks at the IP and determining a course of action instead of protecting each interface as it's own firewall.

Now... on to the part that is potentially scary:
A user could enable file and printer sharing on their system to be allowed through the firewall.
A user could also enable file and printer sharing on their dialup adapter.
A user could then be vulnerable to be browsed, but the above has to be satisfied, BOTH CONDITIONS.

Could this be done? Sure. They have to be intentionally set!
So... here's the way I see it: Microsoft could have made it much more confusing to the average joe user and had it pop up the service ranges every time you enable a interface to allow a new port range or protocol option, or service like File and Printer sharing, to ask them: "Do you want this interface to be visible on your dialup?" If so then they'd answer yes. The thing is, this is all conscious effort stuff.

Their claims of finding data on the internet easily puts them in the range of black hat hackers who are no more than electronic burglars! Plus, they still did not convince me in the article that they were indeed attacking boxes that satisfied this set of conditions!

There are a LOT of users on the net with broadband connections, but they usually are going through an ETHERNET connection, not dialup, although there seem to be a lot of DSL users that do. Even then, by default, file and printer sharing is not enabled on the dialup adapter, and they are using that interface to access their DSL, so is this condition satisfied or not? The answer would obviously be "No, they are not vulnerable, because the internet is coming through a connection that does not have the facility to do file and printer sharing, it's been removed from the connection or disabled."

Again, this is NOT a security hole, it's simply a misconfiguration if this set of circumstances occur!

I've attached a pic of the scope change screen. You get to it by going to the Windows Firewall, select the Exceptions tab on top, then select file and printer sharing, and hit the Edit button below it.

Here's the key: YOU HAVE TO ENABLE IT. It's not on by default. They gloss over the part that says during the upgrade to SP2 it imports your old settings and then applies them. So again we go back to the key statment: You have to enable it. It's not simply "wide open" to the world the moment you install SP2. Yeah I'm sick of people posting this sort of irresponsible journalism... they didn't really outline the real scenario properly, and when they did, it was glossed over with a sensationalist attitude. At worst this is really nothing more than an educational issue.