Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Oh...

[kasparov]

So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.

Re:physical access == game over

[hcmtnbiker]

It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.

Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.

DUH..... this works in 2000 and xp as well

[sandmtyh]

boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/ [geekport.com]

Re:Is this how it was planned?

[Anonymous Coward]

You cannot do this from the within the OS because Utilmon is owned by local system. What this attack does is use one OS to modify a second OS while the second OS is offline. Similarly, I can build my own linux kernel to not authenticate users and replace the linux kernel on your box with this method. Attacks of this nature are simple if the filesystem is unencrypted and probably still unavoidable on encrypted filesystems if the attacker has complete access to the physical machine.

Umm

[yoyhed]

This has been well-known for a LONG time - you can rename cmd.exe to Magnify.exe and then run it from the Accessibility options at the login screen. Then you can do whatever you could normally do with a command prompt process run by System - like for example, run "control Userpasswords2" and change/reset anyone's password.

This is news?

[atari2600]

A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.

Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).

Re:Oh...

[chatgris]

No it wouldn't. You take the hard drive out of the laptop, either put it in another laptop or buy a $15 adapter that lets you plug it into an IDE slot on a computer. Change the files, put the disk back in the laptop.

There isn't anything magical or hidden about a laptop hard drive.

Re:This is news?

[sandmtyh]

the best part about this is you don't even need linux to do it... all you need is a windows CD, and access to the recovery console.... if the recovery console restricts you just rename the hive files so that next time you reboot it won't find the registry entries that restrict you.

Re:physical access == game over

[sandmtyh]

it works in xp and 2000... you just have to do the same trick with diffrent file names.

Re:physical access == game over

[Hunter-Killer]

Parent is correct; been doing this in XP for years with C:\windows\system32\sethc.exe (StickyKeys).

The article wouldn't have been newsworthy if it had merely said "Vista just as vulnerable, nothing new." Especially since the old tricks are often the first things tried with the new OS.

Re:This isn't a real security hole.

[mrbah]

The idea is to boot to an external OS (which can freely access the Windows partition) and modify the file that way.

Re:Physical Security

[ozmanjusri]

So you can install a rootkit/keylogger and get back in when the OS is running.

Re:Long weekend...

[Anonymous Coward]

maybe you should shop for a MAC over the weekend

Why do people insist on putting Mac in all caps? Like it's some sort of acronym or something? Unless you were suggesting shopping for Media Access Control, in which case I apologize.

Re:What idiots modded this up?

[Phroggy]

If you already have root access, passwd does not prompt you for the old password. His method is sound.

Re:Is this how it was planned?

[rdebath]

On your second point, encrypted filesystems. If the filesystem is encrypted but the user knows the password they can:

• Remove the hard disk from the machine (to get past BIOS restrictions)
• Boot with another OS copy and use their password in that OS to unencrypt the hard disk.

Encryption is designed to protect against people who don't know the password to the disk. The only way you can arrange this for people who logon to the machine is if physical to the machine doesn't mean physical access to the keys .. ie TPM. Even then it's uncertain as when you're logged into the machine the plaintext disk key must be available to the OS.

Likewise, if the password the user enters is poor and the 256bit key is available on the hard disk (no "keyfob") you can probably get over 100bits of plaintext for a dictionary search from just the boot sector of the harddisk.

So to avoid the attack in the FA from a third party you either need a good FDE password, so the on-disk key is used only for password changing or a keyfob that cannot be left in the machine.

Against the user of the machine it's TPM and prayer.

Re:physical access == game over

[Anonymous Coward]

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!

win2000 is not the most secure windows version ever
This does not make it blantantly obvious that you have access the victims PC.
If you reset tyhe admin password you break the system for the real owner

Re:System Access v. Admin?

[Anonymous Coward]

SYSTEM has permissions to do a few other things, such as edit the SAM. The old trick in Windows 2000 was to run regedt32 from an 'at' job (which runs by default as SYSTEM), and lo, there is the SAM ready for editing (even as an administrator, the Security hive was greyed out).

Re:Long weekend...

[Anonymous Coward]

You mean Mac. A MAC is a number to show what type of network card ID you have, the other is a computer whose users do not have to deal with the whack-a-mole battle with malware that the Windows and Linux users have to deal with on a day to day basis.

Same technique, different vector

[xuanyou]

I've used the same technique before to restore an XP system that no one knew the admin password to. Changed the default screensaver .scr to cmd.exe. Just booted to login, made a coffee, when I got back, cmd was open in System user. Funnily, I think the user rights for System in XP were limited below Administrator.

Re:This could be useful

[cnettel]

There are, however, plenty of simpler way to do so from admin. While admin don't have full token directly, it can achieve it in any number of ways.

Re:Apple / OS X

[pasokon]

You can also set a password for EFI on Intel-based Macs.

See http://support.apple.com/kb/HT1352 [apple.com]
(also covers setting the password on Open Firmware PowerPC)

Re:Long weekend...

[aproposofwhat]

OK - the OP phrased it badly, but the first 24 bits of the MAC address do give vendor [ieee.org] information - some drivers allow you to override that, but allowing for some terminological inexactitude, the OP made sense.

Meh, not so impressive

[BLKMGK]

See the problem with that is that you had to use someone else's program to do this - it wasn't just something you could do. Someone had to reverse how the SAM was storing passwords blah blah. Plus now you have hosed up your "friends" password and he will know you have been playing on his machine when he gets back. See, that's not really kewl....

What you should have done that would have been more impressive would be to boot off a Linux CD and rename the SAM file. Then when the machine was booted again the Administrator password would have been BLANK. You could then have retrieved whatever information you wanted from your "friends" computer, renamed the SAM back to it's correct name, and when he returned his password would have been the same. This would have been much nicer for your "friend" and far more impressive since you would not have had to rely on someone reversing the password storage format of the SAM file - which BTW has changed a few times. Microsoft even started using SALT, the nerve!

Anyway, the rename method would have worked out of the box without any "boring" reverse work on someone else's part and would take advantage of a stupid oversight on Microsoft's work - just like this hack does. FWIW, I LIKE Vista and know that in general it's more secure than XP. That Microsoft was so STUPID as to allow something like this to work doesn't surprise me but it does dissapoint me. Hopefully they don't fix it before I've had a chance to show a "friend" how it works :-P

Re:physical access == game over

[Barny]

You can also use similar tricks to work around the vista Activation wizard to install drivers.

When vista says "activate now or die" tap shift 5 times, opt to go to accessibility panel, now you have an explorer window running as System, you can jump to control panel, start up all the networking and windows installer services, install those pesky Lan drivers, then exit back and activate windows.

This works so well now because of the heavy integration of explorer/iexplore and the configuration panel scripts.

Why bother?

[SEMW]

I've used the same technique before to restore an XP system that no one knew the admin password to. Changed the default screensaver .scr to cmd.exe. Just booted to login, made a coffee, when I got back, cmd was open in System user. Funnily, I think the user rights for System in XP were limited below Administrator

Why bother? If you can reboot the computer, you can just boot into single user mode and change the password directly, on any operating system I've ever used (Windows: press F8 on bootup; Linux: append S to the GRUB kernel line, etc.).

Re:physical access == game over

[karmatic]

Or, you could just pay for that software you've pirated. See, no more pesky activation dialogs. But of course being Slashdot, that means that it's noble to somehow stick it to Microsoft.

Did you actually read the parent? It's possible to get Vista into a state where you can't activate (online) because you lack networking drivers.

Instead of using the incredibly painful phone activation, you can use this to install said LAN drivers and activate.

If you're using a pirate copy, there's no pesky activation dialog either, and if you're using a crack, you don't really need LAN drivers to use it, do you?

You don't even need a bootCD/disk

[phorm]

Add this line in the bootloader...

init=/bin/bash

It bypasses the init process (and all of the login requirements therein) to dump you straight to the *bash shell.

*Assumes bash is in the path /bin/bash, but /bin/sh or any valid shell should work.

All part of the Macintosh heritage

[hawk]

Roll back the clock a couple of decades. Microsoft was the #2 violator of the Macintosh programming standards and rules. #1, of course, was Apple . . .

Thus on system software changes, guess which two manufacturers' software broke the most often.

hawk