Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

physical access == game over

[bersl2]

How is this news?

Physical Security

[hardburn]

This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.

Re:physical access == game over

[zonky]

Does it bypass the bitlocker/full drive encyption options in vista? Physical access is not always game over....

PANIC

[Profane MuthaFucka]

The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!

If you can write the raw disk...

[Animats]

Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.

Now if someone manages to do this from the outside, that's news.

Re:WTF?

[fabs64]

You mean like init? gdm? Xorg? sshd?

Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!

danger will robinson.

Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.

Re:WTF?

[icebike]

> While this does require physical access, running
> something as root before login is still incredibly
> stupid.

Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.

Re:Is this how it was planned?

[pallmall1]

Similarly, I can build my own linux kernel to not authenticate users and replace the linux kernel on your box with this method.

Replacing the kernel is a little different than just changing one filename.

Re:ethics?

[Anonymous Coward]

• Full disclosure [wikipedia.org] would be unethical if limited disclosure actually worked. But it doesn't, as vendors of defective software have demonstrated time and again through weeks if not months of inaction and harassment of researchers.
  
• As almost every commenter has pointed out, this is just one more in a well-known family of defects which practically require booting a different operating system to exploit.
  

Disk access?

[shird]

If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.

Why not crack the Administrator password?

[cciRRus]

With the ability to boot up a LiveCD, wouldn't retrieving the NTLM password hashes and cracking the passwords with rainbow tables a better idea? The process can be done with Ophcrack [sourceforge.net] within minutes on a modern PC. That way, the attack gains access to the local Administrator account but leaves no traces behind (i.e. no modification of system files).

The Administrator account would then allow the attacker to login into Vista and launch cmd.exe at System-Level. This can be accomplished by using the Task Scheduler at.exe to run cmd.exe at the next minute.

This isn't a real security hole.

[kiwioddBall]

Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.

Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.

Re:Is this how it was planned?

[inode_buddha]

This is true and correct. As long as one can spin up a disk and read it, then it's game over. A bootable distro on a CD will easily do the job. You don't even need to build or replace the kernel to do it, since init and login are user-level as far as the kernel is concerned. You might need a few special drivers for volume mounting, reading, and decryption tho. Some really bare-bones disks come to mind as potentially useful, such as very early slackware (3.x) or Linux From Scratch/Busybox, all of which fit on a floppy or two. Recall that most boxes will seek the first possible bootable media.

Re:Is this how it was planned?

[totally bogus dude]

Not really, the kernel is just a file or two. If you insist, then rename init to something else (e.g. a shell) and you'll get a similar effect on Linux. Or modify the inittab to run a logged-in root shell on one of the vty's. If you really think this is some special OMG VISTA IS SO INSECURE COMPARED TO EVERYTHING ELSE flaw, then you don't understand the "problem" at all.

However I have to wonder: once you have access to the filesystem, why exactly would you bother booting into Vista and getting yourself a privileged cmd.exe? Why not just access whatever data you want from the other OS? Or does "unencrypted hard drives can be read and modified using other computers" not make a good enough headline?

This whole thing is so completely and utterly pointless it's probably created a black hole.

Re:physical access == game over

[Anonymous Coward]

This is really getting old. Physical access to unencrypted file system equals game over unconditionally and is not a reflection of the strength of the OS.

Physical access to encrypted file systems with bitlocker means your going to have to be a lot more creative. TPM provides a trust relationship at the BIOS level so cheap crap like replacing the hard drive and waiting for the user to login is not going to work. You will need to first hide a small camera next to the keyboard or tap the keyboard or use tempest to collect the users password.

Re:physical access == game over

[weicco]

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!

This could be useful

[WizzardX]

I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.

Re:physical access == game over

[ka2]

You can also reset Windows passwords in a similar way. With physical access and no encryption on the drive it is game over.

Re:physical access == game over

[arivanov]

You can use crypto not just for data privacy. You can use it for integrity.

If the "interesting" files on a FS are cryptographically signed with a signature that also covers at least some of their FS info (name, fs, allocation, etc) you can happily read them, but you cannot modify them and move them around.

The funniest bit here is that Vista has the relevant crypto framework in place and has everything it needs to do this. Windows has been cryptographically verifying stuff for ages. As the video shows, it however, does not use it everywhere.

IMO it is a classic lesson on security design which can be summarised using one of my high school CS prof quotes. He used to say: "Miss, there is no such thing as a bit pregnant". You either do something everywhere or you do not bother.

Re:physical access == game over

[debatem1]

Big difference between gaining root access to a (possibly trusted) machine and just taking it down. If you have unlimited physical access and just want it to go away, save yourself some time and pull the plug.

Re:Physical Security

[vux984]

So you can install a rootkit/keylogger and get back in when the OS is running.

You ALREADY have unrestricted access to the drive by booting into an alternative OS with R/W access to the unencrypted HD. You want to install a rootkit or keylogger, just do it. You don't need to boot windows at all.

This is possible in any OS. Windows, OSX, Linux.... hell even OS9.

Re:physical access == game over

[SynapseLapse]

Why so negative? It's interesting because it's a pretty egregious oversight on Microsoft's part and it's a pretty funny workaround. The joy of computers is finding intersting and clever hacks. Exactly how many articles have you posted on /.? How many Vista (A supposedly secure system) loopholes have you discovered?

Re:Long weekend...

[mgblst]

Why, because lots of people aren't sure, and don't really care enough to check. And if you are only talking, you can get away, unless you spell it out of course.

Re:Physical Security

[ozmanjusri]

You ALREADY have unrestricted access to the drive by booting into an alternative OS with R/W access to the unencrypted HD.

You have unrestricted access at that point of time.

You may want unrestricted access forever.

Re:Multi-step process

[gazbo]

No. In order to rename the file remotely you already need root. And even ignoring that, you would still need physical access to use the newly exploited shell.

Your comment is akin to saying "Ah, but what if someone finds a way to remotely append init=/bin/bash to Grub?" There's no weakness in Linux there, as you'd need to have root on the box in order to do such a thing, and then after the shutdown -r you'd be fucked anyway as it sat at a shell 1000 miles away waiting for someone to type into the console.

Re:physical access == game over

[Niten]

That is called defence in depth. The attacker should not be able to simply boot and change system files.

But you still don't seem to understand. Surely you should see the folly in trying to protect the integrity of the contents of a disk, by performing verification using software stored on the same disk? It is a fool's errand, a fundamentally losing proposition.

I thought Vista is touting 'full disk encryption' as a great security feature! If it can be broken so easily, it is an anti-feature.

It is a great security feature for keeping your data from being read by others if your laptop is confiscated or stolen. It is not a great security feature for keeping someone else from manipulating disk contents without special hardware support -- because in order for the computer to even boot there must be some amount of unencrypted code in the boot sector, and if you can modify that then there always exists a vector for attack.

These are two different types of security you're talking about; you can't just lump it all together.

Re:physical access == game over

[WWWWolf]

Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?

A bit of a chicken-and-an-egg problem here: How do you propose you authenticate users without a) running the authenticating program as root, having privileges to say "okay, you're user X, let me shift the control over to you", or b) being just as exploitable by giving limited user Y the privilege of saying "okay, you're user X, let me shift the control over to you"?

Linux isn't any better, you know...

# ps axu | grep getty
root 4825 [...] /sbin/getty 38400 tty3
root 4826 [...] /sbin/getty 38400 tty4
[...]
# ps axu | grep gdm
root 10691 [...] /usr/sbin/gdm
root 23736 [...] /usr/sbin/gdm

A better question would be to ask, "why is the login application executing random programs anyway?" or, like you said, "why isn't the login application making sure that, when it executes a random program, it actually executes the program it was supposed to execute?" but I suppose the answer to these questions is simple: "sometimes the flexibility is warranted" and "this is getting way too elaborate, giving minimal gains in actual real security" - in short, if you want to make sure utilman.exe isn't messed around with before the boot, the more feasible and elegant solution is to use full-drive encryption (which solves far more problems at one single swat), not mess around with micro-granular annoyances.

Re:physical access == game over

[dhalgren]

Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?

ts7000:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 1.7 1368 508 ? S May25 0:05 init [2]

Re:physical access == game over

[Richard W.M. Jones]

Physical access is not always game over....

With physical access you can reflash the firmware in either the BIOS or (eg) an ethernet NIC. The modified firmware will have full access to the system RAM, disks, and just about anything else (because it can DMA to/from memory and any device). So the next time the system is booted and the full-disk-encryption password is entered it is indeed game over.

Rich.

Re:Long weekend...

[kdemetter]

You mean Mac. A MAC is a number to show what type of network card ID you have, the other is a computer whose users do not have to deal with the whack-a-mole battle with malware that the Windows users have to deal with on a day to day basis.

Fixed that for you .

Re:physical access == game over

[akozakie]

There's physical access and physical access. If you are alone in the room with the computer for a long time, with no risk of anyone seeing you, then yes, you've won. But in a busy room - that's a bit different. An unknown person trying to open the case, or doing something else which looks "different" seems is easy to spot, but in many cases an unknown person doing things which look normal will be ignored - probably just a new guy. With this kind of exploit you just need seconds without being watched: pop a CD into the drive, reboot. If you are well prepared, the CD will not boot a full Linux system, it'll just mount the first partition which looks like Vista, rename the file, eject the CD and reboot. Hide the CD in your pocket and sit down. You don't look suspicious now, you're just a guy waiting for his machine to boot. Now you need a few seconds again to "log-in" - launch the cmd.exe, run explorer, launch IE ar whatever... Everything looks normal now. If you are calm and look bored, you can now browse away all you like - read all files on the disk, do what you want to the system, copy the files, etc. Then just get up and leave. Yes, you need guts to do this, but if you're playing with social engineering (how else did you get to sit in that room unattended?) then you have plenty of that.

Besides, you can be there legitimately. You may even have an account on the machine. Employees, contractors, etc. can also be attackers. This way they have a simple, fast and reliable privilege escalation ability.

Anything that makes breaking security with physical access faster and relatively inconspicious is a threat. So, yeah, restrict physical access all you want, but since this is never foolproof... If it's sensitive, it should be encrypted, period.

Re:physical access == game over

[BLKMGK]

Hardware key logger - I can deploy one of those with physical access. Perhaps a modified USB or other keyboard driver might work on OSX too, something I could install with physical access. If only the user's home dir is encrypted then it sounds to me like those drivers, and obviously the hardware, are fair game for a key logger to get past your password. I simply need to take a copy of the encrypted dir with me and have the key logger email me your password when you log in :-)

Re:physical access == game over

[karmatic]

Most of my passwords range in the 10-14 character range, but I've found that users tend to have issues with anything that long.

Our final solution ended up being fairly simple (for the users, it was a pain for me to implement) - Smart Cards.

We disallow "stupid" passwords (1234, etc.), and the cards are set to lockout after 3 incorrect tries. When you only get 3 guesses, even a 4 character password is secure.

Re:physical access == game over

[dotancohen]

I use a 26 char password on a laptop that locks every 5 minutes.

Once you get used to it, it's not too annoying at all.

I'm sure that a cellmate love affair would not be too annoying at all after you get used to it, but there are some pleasures that I just do not want to get used to.

Re:Long weekend...

[Anonymous Coward]

While using the Accessibility Options is a bit clever, it's not like Macs are any more secure against an attack where you boot another OS and mount the drive R/W. As a matter of fact, they are probably less secure with the target disk mode or whatever they have which would mean I don't even have to run the Linux disk on the machine I wish to compromise.