Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Gaining System-Level Access To Vista 412

Posted by kdawson
from the seems-too-simple-somehow dept.
An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."
This discussion has been archived. No new comments can be posted.

Gaining System-Level Access To Vista

Comments Filter:
  • Cancel.... (Score:5, Funny)

    by FriendSite.com (1208220) on Sunday May 25, 2008 @11:53PM (#23541001) Homepage
    Allow full root access

    Cancel or Allow...
  • Long weekend... (Score:4, Interesting)

    by cayenne8 (626475) on Sunday May 25, 2008 @11:54PM (#23541005) Homepage Journal
    Hmm...something new and fun to play with over this long holiday weekend.

    :-)

  • by bersl2 (689221) on Sunday May 25, 2008 @11:55PM (#23541011) Journal
    How is this news?
    • by zonky (1153039) on Sunday May 25, 2008 @11:58PM (#23541039)
      Does it bypass the bitlocker/full drive encyption options in vista? Physical access is not always game over....
      • by hcmtnbiker (925661) on Monday May 26, 2008 @12:09AM (#23541099)
        It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.

        Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.

        The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.
        • by weicco (645927) on Monday May 26, 2008 @01:12AM (#23541497)

          The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

          My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

          But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!

          • by debatem1 (1087307) on Monday May 26, 2008 @01:36AM (#23541651)
            Maybe if you did it to a Vista machine a decade ago, it would have.
          • by SynapseLapse (644398) on Monday May 26, 2008 @02:32AM (#23541869)
            Why so negative? It's interesting because it's a pretty egregious oversight on Microsoft's part and it's a pretty funny workaround. The joy of computers is finding intersting and clever hacks. Exactly how many articles have you posted on /.? How many Vista (A supposedly secure system) loopholes have you discovered?
            • by Barny (103770) <bakadamage-slashdot@yahoo.com> on Monday May 26, 2008 @09:27AM (#23544301) Homepage Journal
              You can also use similar tricks to work around the vista Activation wizard to install drivers.

              When vista says "activate now or die" tap shift 5 times, opt to go to accessibility panel, now you have an explorer window running as System, you can jump to control panel, start up all the networking and windows installer services, install those pesky Lan drivers, then exit back and activate windows.

              This works so well now because of the heavy integration of explorer/iexplore and the configuration panel scripts.
          • by DrYak (748999) on Monday May 26, 2008 @05:06AM (#23542647) Homepage

            The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.
            My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.
            Yeah. But microsoft's own good practice recommendation is that this kind of hooks need to be placed in a driver or a service (it self installed with the necessary privileges). And that the program that needs the access stay with low privileges and only access what it needs through the API exposed by the privileged service/driver.

            That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.

            It's just strange how Windows can't even follow their own recommendations.
          • by BLKMGK (34057) <morejunk4me&hotmail,com> on Monday May 26, 2008 @09:26AM (#23544289) Homepage Journal
            See the problem with that is that you had to use someone else's program to do this - it wasn't just something you could do. Someone had to reverse how the SAM was storing passwords blah blah. Plus now you have hosed up your "friends" password and he will know you have been playing on his machine when he gets back. See, that's not really kewl....

            What you should have done that would have been more impressive would be to boot off a Linux CD and rename the SAM file. Then when the machine was booted again the Administrator password would have been BLANK. You could then have retrieved whatever information you wanted from your "friends" computer, renamed the SAM back to it's correct name, and when he returned his password would have been the same. This would have been much nicer for your "friend" and far more impressive since you would not have had to rely on someone reversing the password storage format of the SAM file - which BTW has changed a few times. Microsoft even started using SALT, the nerve!

            Anyway, the rename method would have worked out of the box without any "boring" reverse work on someone else's part and would take advantage of a stupid oversight on Microsoft's work - just like this hack does. FWIW, I LIKE Vista and know that in general it's more secure than XP. That Microsoft was so STUPID as to allow something like this to work doesn't surprise me but it does dissapoint me. Hopefully they don't fix it before I've had a chance to show a "friend" how it works :-P
            • Re: (Score:3, Interesting)

              by hawk (1151)
              >FWIW, I LIKE Vista

              Yeah, and there's men that go to work in women's frilly underwear, but most don't brag about it on the internet! :)

              hawk
      • by Repton (60818)

        I dunno --- I'm still waiting for someone who actually watched the video to post in this thread :-)

        I guess the question is: can the SYSTEM account access encrypted volumes? In XP, if you encrypted your home directory, the Administrator user could read your files (by default; you could change that).

      • Physical access is not always game over....

        With physical access you can reflash the firmware in either the BIOS or (eg) an ethernet NIC. The modified firmware will have full access to the system RAM, disks, and just about anything else (because it can DMA to/from memory and any device). So the next time the system is booted and the full-disk-encryption password is entered it is indeed game over.

        Rich.

    • Re: (Score:3, Interesting)

      by jkrise (535370)
      How is physical access == game over? What about BitLocker encryption? Can a Linux distro decrpt BitLocker?

      Also interesting to note this hack works only with Vista but not XP or earlier versions of Windows. Why would Microsoft go out of its way to make a system less secure?
    • by _xeno_ (155264) on Monday May 26, 2008 @12:40AM (#23541293) Homepage Journal

      No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

      Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

      Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

      • Add this line in the bootloader...

        init=/bin/bash

        It bypasses the init process (and all of the login requirements therein) to dump you straight to the *bash shell.

        *Assumes bash is in the path /bin/bash, but /bin/sh or any valid shell should work.
    • Multi-step process (Score:4, Interesting)

      by lullabud (679893) on Monday May 26, 2008 @01:01AM (#23541421) Homepage
      You're not very good at puzzles, are you? First you get one piece, here it is the ability rename an executable to execute a privilege escalation. The next piece is for anybody to find... a way to remotely rename an executable while it is being used, or during reboot, or something else more clever than one minute of my thinking during this reply.

      Your questioning follows the "who cares if water expands when it freezes?" line of thinking. You're missing the second part, the idea that you have to pour it into something before it freezes in order to break that something without effort.
      • by gazbo (517111) on Monday May 26, 2008 @03:31AM (#23542205)
        No. In order to rename the file remotely you already need root. And even ignoring that, you would still need physical access to use the newly exploited shell.

        Your comment is akin to saying "Ah, but what if someone finds a way to remotely append init=/bin/bash to Grub?" There's no weakness in Linux there, as you'd need to have root on the box in order to do such a thing, and then after the shutdown -r you'd be fucked anyway as it sat at a shell 1000 miles away waiting for someone to type into the console.

  • by websters (854886) on Sunday May 25, 2008 @11:55PM (#23541021)
    A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"
    • Re: (Score:3, Informative)

      by Anonymous Coward
      You cannot do this from the within the OS because Utilmon is owned by local system. What this attack does is use one OS to modify a second OS while the second OS is offline. Similarly, I can build my own linux kernel to not authenticate users and replace the linux kernel on your box with this method. Attacks of this nature are simple if the filesystem is unencrypted and probably still unavoidable on encrypted filesystems if the attacker has complete access to the physical machine.
      • Re: (Score:3, Insightful)

        by inode_buddha (576844)
        This is true and correct. As long as one can spin up a disk and read it, then it's game over. A bootable distro on a CD will easily do the job. You don't even need to build or replace the kernel to do it, since init and login are user-level as far as the kernel is concerned. You might need a few special drivers for volume mounting, reading, and decryption tho. Some really bare-bones disks come to mind as potentially useful, such as very early slackware (3.x) or Linux From Scratch/Busybox, all of which fit o
      • Re: (Score:3, Interesting)

        by rdebath (884132)

        That's not the point

        Linux doesn't try to be secure against physical access, just add init=/bin/sh to the kernel command line.

        OTOH: Windows has always had this weird naivety that passwords will protect the OS from the guy sitting infront of the PC.

      • by rdebath (884132) on Monday May 26, 2008 @01:59AM (#23541755)

        On your second point, encrypted filesystems. If the filesystem is encrypted but the user knows the password they can:

        • Remove the hard disk from the machine (to get past BIOS restrictions)
        • Boot with another OS copy and use their password in that OS to unencrypt the hard disk.

        Encryption is designed to protect against people who don't know the password to the disk. The only way you can arrange this for people who logon to the machine is if physical to the machine doesn't mean physical access to the keys .. ie TPM. Even then it's uncertain as when you're logged into the machine the plaintext disk key must be available to the OS.

        Likewise, if the password the user enters is poor and the 256bit key is available on the hard disk (no "keyfob") you can probably get over 100bits of plaintext for a dictionary search from just the boot sector of the harddisk.

        So to avoid the attack in the FA from a third party you either need a good FDE password, so the on-disk key is used only for password changing or a keyfob that cannot be left in the machine.

        Against the user of the machine it's TPM and prayer.

  • Physical Security (Score:5, Insightful)

    by hardburn (141468) <hardburn&wumpus-cave,net> on Sunday May 25, 2008 @11:57PM (#23541033)

    This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.

  • PANIC (Score:5, Insightful)

    by Profane MuthaFucka (574406) <busheatskok@gmail.com> on Sunday May 25, 2008 @11:59PM (#23541051) Homepage Journal
    The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!
    • Re:PANIC (Score:5, Funny)

      by jhdevos (56359) on Monday May 26, 2008 @12:39AM (#23541277) Homepage
      Right... They should think of some system where the BIOS will only load code that was digitally signed somehow, so these atrocities are no longer possible. Personally, I will only feel safe when I know that Microsoft completely controls what goed on on my PC!
  • by Animats (122034) on Monday May 26, 2008 @12:00AM (#23541059) Homepage

    Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.

    Now if someone manages to do this from the outside, that's news.

  • Oh... (Score:5, Informative)

    by kasparov (105041) * on Monday May 26, 2008 @12:04AM (#23541081)
    So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.
  • Oddly enough... (Score:3, Interesting)

    by frank_adrian314159 (469671) on Monday May 26, 2008 @12:05AM (#23541085) Homepage
    ... there seem to be a few of these "name related" hacks in Vista. Files with the string "setup" in their name are recognized as potential installers and are handled differently by the OS. We were able to work around an installation issue in Vista by renaming the installation .exe file something else. One look at this and I said to myself "WTF? Is this any way to secure an OS?"
  • by sandmtyh (560543) on Monday May 26, 2008 @12:14AM (#23541121)
    boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/ [geekport.com]
  • Umm (Score:3, Informative)

    by yoyhed (651244) on Monday May 26, 2008 @12:17AM (#23541151)
    This has been well-known for a LONG time - you can rename cmd.exe to Magnify.exe and then run it from the Accessibility options at the login screen. Then you can do whatever you could normally do with a command prompt process run by System - like for example, run "control Userpasswords2" and change/reset anyone's password.
  • This is news? (Score:5, Informative)

    by atari2600 (545988) on Monday May 26, 2008 @12:18AM (#23541161)
    A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.

    Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).
    • Re: (Score:2, Informative)

      by sandmtyh (560543)
      the best part about this is you don't even need linux to do it... all you need is a windows CD, and access to the recovery console.... if the recovery console restricts you just rename the hive files so that next time you reboot it won't find the registry entries that restrict you.
      • by atari2600 (545988)
        Indeed. Since the OS in question is Vista, they just need a boot disk that allows them to mount NTFS partitions in RW mode.
    • Two reasons (Score:4, Interesting)

      by Sycraft-fu (314770) on Monday May 26, 2008 @01:18AM (#23541543)
      One is, of course, because it's Windows and Slashdot has this pathological need to post anything and everything they can find that makes Windows look bad, even if it is completely made up/false.

      However the other is that it seems that many geeks misunderstand security. They think that perfect security is something you can actually have, that a system can actually be invulnerable from attack. So any attack is news in their minds since they've never thought it through. This is quite evident from the comments any time a site gets hacked and there is the attitude of "It is your fault if you are stupid enough to get hacked." I always like to ask if they'd take the same view if I broke in to their house, which would be extremely easy (almost nobody has good home security).

      As you noted: When there's physical access to the system, all bets are off. Any OS level security isn't any good since the drive can just be removed and accessed directly. Heck, that's how we do data recovery at work. We don't even try to figure out if the problem is OS configuration or an actual disk error. The disk comes out, goes in to our recover system, and we get the necessary data off. Data first, diagnosis later. Once the data is safely off, then I worry about what actually went wrong.

      All security is just a matter of trying to be secure enough that anyone who wants at what you are securing can't or won't spend the effort to defeat it. There's no perfection. Even something like full disk encryption. Yes, this will defeat something like this, and also defeat someone grabbing the drive and reading it. However if they really want it, they just grab you too and force you to hand over your password. If the data was important enough that you had to plan for that contingency, you get some body guards to keep you safe. However then they simply kill your guards and get you... etc.

      Basically there isn't a be-all, end-all of security, where you are safe against everything. There is only being secure to the point that anyone who wants what you have, doesn't have the ability to get it.
  • This is only useful if you have physical access to the machine and can remove the case (in case of BIOS passwords and boot order priority favoring the hard drive before anything else). So it can only be used in the case where you have a) forgotten all the passwords relative to that machine or b) don't have passwords to that machine.

    Even in a networked environment, this access gets you very little, as a local machine admin still has no privileges on the network. So the best you can hope for here, is that the
  • by this great guy (922511) on Monday May 26, 2008 @12:29AM (#23541229)
    • Getting Camstasia Studio to record your BackTrack & Vista sessions: free (you got the free trial version)
    • Downloading a James Bond music to put it in your flash demo: free (you have got crazy peer-to-peer skillz)
    • Showing the world the amazing things you can do with physical access to a box and that it takes you 60 long secs to painfully rename cmd.exe to utilman.exe: ...priceless
  • Disk access? (Score:5, Insightful)

    by shird (566377) on Monday May 26, 2008 @12:34AM (#23541251) Homepage Journal
    If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.
  • by kiwioddBall (646813) on Monday May 26, 2008 @12:44AM (#23541313) Homepage
    Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.

    Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.
  • by WizzardX (1048000) on Monday May 26, 2008 @01:17AM (#23541527)
    I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.
    • Re: (Score:3, Informative)

      by cnettel (836611)
      There are, however, plenty of simpler way to do so from admin. While admin don't have full token directly, it can achieve it in any number of ways.
  • by Martian_Kyo (1161137) on Monday May 26, 2008 @02:04AM (#23541775)
    this is not a security hole
    this is a feature
    which helps you recover data after you forgot your password.
  • by SplatMan_DK (1035528) * on Monday May 26, 2008 @07:36AM (#23543441) Homepage Journal
    The clip is made with "Camtasia", a program from TechSmith inc. [techsmith.com].

    But that product is only available for Windows, so how was it used to capture a screen video of a Linux computer? And how was it used to show a Vista computer booting (since presumably the Camtasia ScreenCam software cannot be loadet at that time)?

    No flaming intended - this is an honest question.

    :-)

    - Jesper

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27

Working...