[NT] Blank Administrator Password on OEM Windows XP Installation

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Blank Administrator Password on OEM Windows XP Installation
------------------------------------------------------------------------


SUMMARY

DELL OEM XP Processional has a default hidden administrator account, with 
no password set. Use of this account will allow anyone with physical 
access to the computer to fully control the computer, add spyware, 
keystroke loggers, password stealing software and read all files, 
including temp files, local files, documents, and any email that has been 
stored locally.

DETAILS

Vulnerable Systems:
 * DELL Laptops with pre installed Microsoft Windows XP Professional SP2

Immune Systems:
 * DELL Laptops with Retail Microsoft Windows XP professional, RTM, SP1 
and SP2

A retail setup implementation of Microsoft Windows XP Professional 
Edition, "Out-of-Box Experience" (OOBE), requires that the installer be 
given the option to add an Administrator account. During the installation, 
the XP Installer states : "You must provide a name and an Administrator 
password for your computer. Setup creates a user account called 
Administrator. You use this account when you need full access to your 
computer." While setup will not require that a password actually be 
entered, it does stress that one SHOULD be entered. Additionally, the user 
is prompted to create a regular user account for general use.

In contrast, the DELL setup implementation of Microsoft Windows XP 
Professional Edition does not include such steps. The existence of an 
administrator account is never mentioned. Instead, the setup asks: "Who 
will use this computer? Type the name of each person who will use this 
computer. Windows will create a separate user account for each person so 
you can personalize the way you want Windows to organize and display 
information, protect your files and computer settings, and customize the 
desktop. These names will appear on the Welcome screen in alphabetical 
order. When you start Windows, simply click your name on the Welcome 
screen to begin. If you want to set passwords and limit permissions for 
each user, or add more user accounts after you finish setting up Windows, 
just click CONTROL PANEL in the START menu, and then click USER ACCOUNTS." 
By default, none of the accounts added in this step have passwords. Nor is 
their an option to set passwords during the install. While this is not 
unique to the IBM install, it is a known weakness in the Windows XP OOBE, 
including retail and OEM versions. Because the Administrator account was 
never requested, this leaves the system in a very vulnerable state.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504> 
CAN-1999-0504


ADDITIONAL INFORMATION

The information has been provided by  <mailto:scheidell@xxxxxxxxxx> 
Michael Scheidell.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.