发布时间 :2000-05-11 00:00:00
修订时间 :2008-09-10 15:04:37

[原文]The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data.

[CNNVD]Microsoft Windows 2000 默认系统密钥配置漏洞(CNNVD-200005-047)

        Windows 2000的系统密码配置将启动密钥存放在注册表中,存在漏洞,攻击者可以利用这个漏洞通过查找到的启动密钥破解文件加密系统(EFS) 数据。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  1198
(UNKNOWN)  NTBUGTRAQ  20000511 ISS SAVANT Advisory 00/26

- 漏洞信息

Microsoft Windows 2000 默认系统密钥配置漏洞
高危 配置错误
2000-05-11 00:00:00 2005-10-20 00:00:00
        Windows 2000的系统密码配置将启动密钥存放在注册表中,存在漏洞,攻击者可以利用这个漏洞通过查找到的启动密钥破解文件加密系统(EFS) 数据。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 漏洞信息

Microsoft Windows SYSKEY Registry EFS Startup Key Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-05-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
Configuration Error 1198
No Yes
2000-05-11 12:00:00 2009-07-11 01:56:00
Discovered by Internet Security Systems and publicized in ISS SAVANT Advisory 00/26 on May 11, 2000.

- 受影响的程序版本

Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

The default configuration of SYSKEY allows any local user to decrypt data encrypted with the Encrypted File System (EFS).

A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the system is booted with a different operating system. Upon reboot, a new SAM database is created with the Administrator account having a blank password. A malicious user can now login as Administrator and decrypt data if the recovery key resides on the system.

The default mode SYSKEY operates in is to 'Store Startup Key Locally'. Under this mode, Windows 2000 will generate a random 128-bit system key and store it in the registry under HKLM/SYSTEM. Running SYSKEY in this mode will leave the system vulnerable to the exploit mentioned above.

In addition, a tool called 'ntpasswd' is available which can reset the password of any local user account, including the administrator account, by modifying password hashes in the SAM database. A local user can use this tool to login as Administrator (who is the default data recovery agent in the EFS) and from there, decrypt data using the EFS.

Domain-based accounts are not affected by this vulnerability.

- 漏洞利用

see discussion

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 相关参考