h0bbel.p0ggel.org

Yet another “how to change the administrator password in Windows” hoax is in the wild.

A recent posting on internetbusinessdaily.net shows a way to get cmd.exe to run instead of the default screen saver, and if you then issue the net user command to change the administrator password.

This approach is just as flawed as the previous bogus security claims. This only works if you already have administrative privileges, so there is no need to actually do the whole copy routine outlined in the post. Just issue the net user command directly, and you’re done.

Of course, you are only protected if your system uses the NTFS filesystem, as FAT32 doesn’t give you any file level security at all.

Can we now stop with the bogus claims? If you have administrator access, you can change the administrators password. Gee, there’s a surprise…

The recently surfaced "Windows XP Privilege Escalation Exploit" is really no such thing. In fact, it's not even close. At first glance, it does look valid enough, but the fact remains that it's not even close to being a real exploit.

Let me explain why. In the original article, you can read:

Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.

While this is true, one rather important thing is left out. You need to have local administrator access to be able to do this. This whole "exploit" is based on scheduling a task and having it run as local system.

By default, the only account(s) that can schedule tasks on Windows XP and Windows Server 2003 (and I imagine Vista too) are members of the local administrators group. Imagine that? For this so-called exploit to be possible, you have to have local administrator privileges!

The original author claims that you can even reset the administrator password this way. Well, so can any user that has local administrator access to begin with. Where is the problem? The only scenario were this might be a problem if some system administrators lets their users schedule commands on domain controllers, or other servers, but that would be very bad system administration to begin with. And we all know what problems bad sysadmins can get themselves into.

What annoys me with this whole thing, is that everyone and their mother seems to be jumping on the bandwagon and screaming exploit. It's not! Being able, as administrator, to run a command prompt or even a whole desktop as local system poses no significant risk what-so-ever.

Move on, there is nothing to see here. I claim FUD.