|
Date: 7/16/99
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Contents
1 - Abstract
2 - Root
3 - TCP/IP
4 - Encryption
5 - Permissions
6 - Conclusion
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1 -
Abstract
As much as I like Win98 it is totally insecure. Programs in
the root directory can allow remote web access. This could
mean to browse your system files with possibly read and
write permissions, upload and download files, remotely
execute code, and whatever else you can think of. If your
system has important files on it then you could be in
trouble. The Access Controls in Win98 are misleading and can
allow an attacker to access your hard drive with read/write
permissions unpassworded. Also there is no encryption scheme
between the network components so basically anyone can sniff
your passwords and whatever else you type, and improper
permissions allow trojan horses to carry out instructions
with no restrictions. All of these security issues have the
potential of giving an attacker remote administration over
your Win98 system. The possibilities that come with that are
endless. This advisory goes over several security problems
in the Win98 operating system. I think you’ll be interested
reading it. Have fun!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 -
Root
In Windows we have what is called the root directory. This
is C:\WINDOWS. Files in the root directory can carry out
system-wide processes that may be compromising to the
security of the system. Explorer.exe has been exploited in
past versions to allow remote access to Win95/98 over the
web. In fact any program in the root directory has the
potential of being exploited. Sometimes programs are written
without security in mind or maybe the programmers look over
parts of the code and don't realize there's a problem. There
could be a buffer overflow or a poorly written function that
allows remote browsing of databases. If you store medical or
other personal information like credit card numbers,
addresses, or company documents then this is obviously a
concern. Nobody wants to wake up one morning and see that
their fifteen-page paper that was suppose to be released
tomorrow has been downloaded by a teen hacker. Windows 98
fails to incorporate security necessary to prevent these
types of attacks. The only thing I can recommend at this
time is that you download a free commercial firewall that's
been released by a respectable company other than Microsoft.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
3 -
TCP/IP
Many of today's Windows '98 users want to share files with
other computers on their existing network. One of the
easiest ways to do this is using the TCP/IP protocol. All
the user has to do is go to settings in the start menu,
control panel and when Explorer opens up, click on the
network icon. When the network config folder opens there
will be a list of what network components have been
installed. Just one click on TCP/IP and then Add.. File and
print sharing.. OK and it's done. The thing most people
don't realize when setting up shares is that they don't stop
to think or don't realize that people other than the
intended people can also access these shares and without a
password. They assume that the password will be the same as
their Windows logon password. Well they assumed wrong.
Windows '98 provides poor configuration for networks which
leaves them succeptible to attack to anyone on the Internet
or on the network. For example if I were on a network and
new the ip address of the computer running shares I would
open an MSDOS window and:
C:\>net use p: \\targetip\ipc$
The command completed successfully.
C:\>net view \\targetip
Shared resources at \\targetip
Share name Type Used as Comment
-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk C Drive
D$ Disk D Drive
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
HPLaser4 Printer HP LaserJet 4si
The command completed successfully.
Basically what I just did was create a null connection with
the IPC$ share and view what shares were on the network. Now
I can map to any of these shares like C$ and browse them
with read/write permissions. What this means is that I can
take a look at any file on the system. The access control
features of Windows 98 are poorly set up and make
misconfiguration of NetBIOS easy. To learn more about
NetBIOS check out The NT Wardoc by Rhino9.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
4 -
Encryption
You would think that in cooperation with the network
components of Windows 98 that there would be some sort of
encryption between host and client but there's not. If you
do in fact have a password set on your shares any attacker
who is sniffing the network can see you typing in your
username and password in cleartext. Win98 provides no
prevention of this.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
5 -
Permissions
In the Windows environment there are no permissions on
files by default. The potential of what someone might do
with access to all of the files that are a part of the
Windows 98 operating system is risky. They could also
download a program which may be a virus or a trojan horse
that executes instructions without any restrictions. This
can't be good for anyone. Your Windows 98 computer is at
risk of being compromised because Microsoft didn’t pay
attention and didn’t do a clean job.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
6 -
Conclusion
Although Win98 provides excellent point-and-click features
it is far beyond not being secure. Since the update from Win
95 to Win 98 Microsoft has failed to improve the system as
far as security is concerned. There is absolutely no
protection at all. If that’s what you’re looking for in an
operating system Windows is not the way to go. Switch to
Unix or something. Basically that’s all you can do.
Microsoft continues to downplay the security concerns of
Windows 98 as I write this. I don’t think anyone’s addressed
all of these issues in one informative advisory before so I
decided to. I hope you’ve enjoyed this advisory! Keep tabs
on gH and me and KeyRoot.
Credits
Mnemonic and gH
www.pure-security.net
xkyller@hotmail.com
KeyRoot Information Security |