Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Long weekend...

[cayenne8]

Hmm...something new and fun to play with over this long holiday weekend.

:-)

changing these TYPES of programs is vulnerable

[ccoder]

... IN ALL WINDOWS VERSIONS!

I've done this in 3.1/95 with the SHELL= variable, in 98 replacing explorer.exe, etc, and in 2000/xp by replacing the accessibility tools. (I forget the name, but try pressing shift 5 times before you login with windows XP - or after and use task manager to see what comes up)..

Writing this from linux or i'd check :)

very nasty in computer labs :)

Oddly enough...

[frank_adrian314159]

... there seem to be a few of these "name related" hacks in Vista. Files with the string "setup" in their name are recognized as potential installers and are handled differently by the OS. We were able to work around an installation issue in Vista by renaming the installation .exe file something else. One look at this and I said to myself "WTF? Is this any way to secure an OS?"

Re:physical access == game over

[jkrise]

How is physical access == game over? What about BitLocker encryption? Can a Linux distro decrpt BitLocker?

Also interesting to note this hack works only with Vista but not XP or earlier versions of Windows. Why would Microsoft go out of its way to make a system less secure?

Re:physical access == game over

[jkrise]

The exploit involves rewriting cmd.exe with Utilman.exe by booting the system into Linux. How can the Linux ntfs utility gain access to the Vista partition if it was encrypted... remember we haven't booted Vista yet?

Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?

Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?

The exploit seems to be just the tip of an iceberg.

System Access v. Admin?

[pbaer]

My knowledge of modern windows (XP, Vista) isn't very good, but I've always been under the impression Administrator==root. Is that not so? Is System Access "root" or is there a more powerful level? What are the differences between Administrator, System Access, and any other more powerful levels?

Also, how do I get "root" or the most powerful level of access to an XP machine?

Re:physical access == game over

[_xeno_]

No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

Multi-step process

[lullabud]

You're not very good at puzzles, are you? First you get one piece, here it is the ability rename an executable to execute a privilege escalation. The next piece is for anybody to find... a way to remotely rename an executable while it is being used, or during reboot, or something else more clever than one minute of my thinking during this reply.

Your questioning follows the "who cares if water expands when it freezes?" line of thinking. You're missing the second part, the idea that you have to pour it into something before it freezes in order to break that something without effort.

Re:physical access == game over

[Niten]

Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?

And what do you suppose is going to stop the attacker from overwriting whatever program performs this validation, absent full-disk encryption coupled with a hardware security module? (And even then, what if they take a soldering iron to the TPM?)

Face it, if an attacker already has physical access to a system -- to the extent that he can run his own Linux OS on it and mess with the contents of its disks -- then that computer is already, entirely owned. This is true for Linux, it's true for OS X, it's true for BSD, and it's true for Windows. That's just the way computers work.

The only iceberg here is the massive crashing reality that a physically unsecured computer system is, well, insecure. Surprise.

Two reasons

[Sycraft-fu]

One is, of course, because it's Windows and Slashdot has this pathological need to post anything and everything they can find that makes Windows look bad, even if it is completely made up/false.

However the other is that it seems that many geeks misunderstand security. They think that perfect security is something you can actually have, that a system can actually be invulnerable from attack. So any attack is news in their minds since they've never thought it through. This is quite evident from the comments any time a site gets hacked and there is the attitude of "It is your fault if you are stupid enough to get hacked." I always like to ask if they'd take the same view if I broke in to their house, which would be extremely easy (almost nobody has good home security).

As you noted: When there's physical access to the system, all bets are off. Any OS level security isn't any good since the drive can just be removed and accessed directly. Heck, that's how we do data recovery at work. We don't even try to figure out if the problem is OS configuration or an actual disk error. The disk comes out, goes in to our recover system, and we get the necessary data off. Data first, diagnosis later. Once the data is safely off, then I worry about what actually went wrong.

All security is just a matter of trying to be secure enough that anyone who wants at what you are securing can't or won't spend the effort to defeat it. There's no perfection. Even something like full disk encryption. Yes, this will defeat something like this, and also defeat someone grabbing the drive and reading it. However if they really want it, they just grab you too and force you to hand over your password. If the data was important enough that you had to plan for that contingency, you get some body guards to keep you safe. However then they simply kill your guards and get you... etc.

Basically there isn't a be-all, end-all of security, where you are safe against everything. There is only being secure to the point that anyone who wants what you have, doesn't have the ability to get it.

Re:Is this how it was planned?

[rdebath]

That's not the point

Linux doesn't try to be secure against physical access, just add init=/bin/sh to the kernel command line.

OTOH: Windows has always had this weird naivety that passwords will protect the OS from the guy sitting infront of the PC.

Re:physical access == game over

[_xeno_]

Unless you deleted the partition containing the data...but wouldn't that defeat the purpose of breaking into the system?

Nope. Know how most worms don't actually care about the data on the machine? They just want enough control to make the machine join a bot-net and start spamming.

In this scenario I don't care about the data on the machine. All I want to do is run programs on the machine. Sadly, the OS is password protected and I don't know the password. So I can't run programs. But if I were to replace the existing OS with a new one that I do have access to, I've done a successful attack: I now have the access I desired. I've started with no access and ended with full access.

Yes, all encrypted data would remain unknown. But for this "attack" I don't actually care about the data. I just want to be able to run programs on the machine. (Specifically in this case, it was a lab machine that had been moved from one project to another. Whoever originally set up the machine either couldn't be contacted or had forgotten the password, I don't remember which. There's no useful data on the machine, but the machine is still useful - if only we could access it.)

The entire point is that this is a somewhat lame attack - just like the attack in the article. It starts by assuming you manage to gain full read/write access to the drive. Amazingly enough, if you have full read/write access, gaining root access isn't terribly difficult...

Re:Physical Security

[Blakey Rat]

Yeah, but if you boot of a CD that's capable of reading the HD, why bother with the passwords? Just directly add your keylogger to the startup items folder or registry or steal whatever files you were going to steal.

The best way to block this attack, on ANY OS, is a cage with a padlock. Linux, OS X, and Windows all have single-user diagnostic modes that can easily be used with a boot disk.

Re:physical access == game over

[Anonymous Coward]

On XP, for awhile, you could acheive something similar by rewriting the sticky-keys application with cmd.exe. Then, at the logon screen, you could press shift five times to 'activate' cmd.exe with system privileges, start explorer.exe, and be ready to rock.

I remember at the time, Microsoft said this wasn't a security issue; a few weeks later, however, a patch was issued and this trick would no longer work.

If you read the article, it specifically says this Vista trick will not work on XP. The patch for the sticky-keys 'exploit' on XP implemented some sort of parameter to verify that, for example, sticky-keys was sticky-keys and not cmd.exe. It appears that this patch hasn't made its way to Vista.

That's just speculation though. It's not really a dead-horse issue, to be honest, but it's hardly a major threat. You need admin privileges to overwrite the original files anyway. Besides impressing your friends, it really isn't good for very much.

I disagree

[Mostly a lurker]

Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?

Re:physical access == game over

[Lost Race]

Also with physical access you can backdoor the FDE bootloader, which is of course not encrypted. That may be easier than backdooring the firmware.

Old trick?

[dotmar]

Wasn't there a similar exploit a few years ago on windows 2000. Auto start of CDs was enabled even when nobody was logged in. If you put a cd with a .bat file in the cd tray, it would start the file which copied cmd.exe to the screensaver file. Wait a couple of minutes, and when the screensaver was supposed to be activated, a command prompt with administrator privileges pops up.

hooks should be in service or drivers

[DrYak]

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

Yeah. But microsoft's own good practice recommendation is that this kind of hooks need to be placed in a driver or a service (it self installed with the necessary privileges). And that the program that needs the access stay with low privileges and only access what it needs through the API exposed by the privileged service/driver.

That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.

It's just strange how Windows can't even follow their own recommendations.

Re:Apple / OS X

[Megane]

On PowerPC it's possible to set a CD boot password in Open Firmware. (use command-option-O-F at startup to get the Open Firmware command prompt) However, Open Firmware's settings can be reset by changing the amount of RAM in the system (adding/removing a DIMM), so physical access is a problem even there.

I don't even know if there's an equivalent to the Open Firmware command prompt in EFI.

Re:physical access == game over

[howardd21]

Normally I would say that parent should be modded up, and agree that it is true that most of the time hackers just want to use the machine's resources (Connectivity, etc.), not the data. But this hack requires physical access to the machine, which would mean a person probably wants to access data. It would be too much work to go to somebody's basement and do this so you use the machine as a spambot.

Re:physical access == game over

[0xygen]

But, as the article points out, you will be able to modify the system to compromise it to such a level that you can take a copy of the BitLocker private key next time it is used.

Physical access is always the end of the game.

It requires something like 360's hypervisor to prevent this, and then gaining physical access to the actual die, without destroying it, could render this useless.

You can secure against this to some extent.

[Emperor Skull]

Change the BIOS boot order so the hard disk is the only allowed boot device.
Enable chasis intrusion in the BIOS
Password protect the BIOS
Put a lock on the case.

Not perfect, but it makes this a lot harder and a lot easier to detect.

Fake or real? Camtasia?

[SplatMan_DK]

The clip is made with "Camtasia", a program from TechSmith inc. [techsmith.com].

But that product is only available for Windows, so how was it used to capture a screen video of a Linux computer? And how was it used to show a Vista computer booting (since presumably the Camtasia ScreenCam software cannot be loadet at that time)?

No flaming intended - this is an honest question.

:-)

- Jesper

Nothing new?

[Peer]

Looks alot like this:

http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/ [avertlabs.com]

Only thing new is using Linux to rename the file.

Comment removed

[account_deleted]

Comment removed based on user account deletion

TPM sets the bar damned high

[BLKMGK]

I mostly agree with what you're saying however the checks and balances brought to the table by properly setup TPM push the bar so high that an attacker is going to have to be damned near a state supported entity to get the job done! :-O At what point do you declare enough is enough? I won't go into a dissertation as to how TPM works as it's lengthy and I'd probably screw it up but you're nto going to be able to just go in and modify how that hardware works to get past it easily. I don't 100% trust it or the vendors supporting it but it does look on the surface like some fairly high effort will be required to get past it.... if it's properly setup (heh)

Re:Meh, not so impressive

[hawk]

>FWIW, I LIKE Vista

Yeah, and there's men that go to work in women's frilly underwear, but most don't brag about it on the internet! :)

hawk