Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Cancel....

Allow full root access

Cancel or Allow...

physical access == game over

How is this news?

Re:physical access == game over

Does it bypass the bitlocker/full drive encyption options in vista? Physical access is not always game over....

Re:physical access == game over

It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.

Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.

Re:physical access == game over

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!

Re:physical access == game over

No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

Re:What idiots modded this up?

If you already have root access, passwd does not prompt you for the old password. His method is sound.

Re:physical access == game over

it works in xp and 2000... you just have to do the same trick with diffrent file names.

Re:physical access == game over

Parent is correct; been doing this in XP for years with C:\windows\system32\sethc.exe (StickyKeys).

The article wouldn't have been newsworthy if it had merely said "Vista just as vulnerable, nothing new." Especially since the old tricks are often the first things tried with the new OS.

Re:physical access == game over

Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?

And what do you suppose is going to stop the attacker from overwriting whatever program performs this validation, absent full-disk encryption coupled with a hardware security module? (And even then, what if they take a soldering iron to the TPM?)

Face it, if an attacker already has physical access to a system -- to the extent that he can run his own Linux OS on it and mess with the contents of its disks -- then that computer is already, entirely owned. This is true for Linux, it's true for OS X, it's true for BSD, and it's true for Windows. That's just the way computers work.

The only iceberg here is the massive crashing reality that a physically unsecured computer system is, well, insecure. Surprise.

Is this how it was planned?

A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"

Re:Is this how it was planned?

Not really, the kernel is just a file or two. If you insist, then rename init to something else (e.g. a shell) and you'll get a similar effect on Linux. Or modify the inittab to run a logged-in root shell on one of the vty's. If you really think this is some special OMG VISTA IS SO INSECURE COMPARED TO EVERYTHING ELSE flaw, then you don't understand the "problem" at all.

However I have to wonder: once you have access to the filesystem, why exactly would you bother booting into Vista and getting yourself a privileged cmd.exe? Why not just access whatever data you want from the other OS? Or does "unencrypted hard drives can be read and modified using other computers" not make a good enough headline?

This whole thing is so completely and utterly pointless it's probably created a black hole.

Physical Security

This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.

PANIC

The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!

Re:PANIC

Right... They should think of some system where the BIOS will only load code that was digitally signed somehow, so these atrocities are no longer possible. Personally, I will only feel safe when I know that Microsoft completely controls what goed on on my PC!

If you can write the raw disk...

Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.

Now if someone manages to do this from the outside, that's news.

Oh...

So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.

DUH..... this works in 2000 and xp as well

boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/ [geekport.com]

This is news?

A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.

Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).

Mastercard Ad

• Getting Camstasia Studio to record your BackTrack & Vista sessions: free (you got the free trial version)
• Downloading a James Bond music to put it in your flash demo: free (you have got crazy peer-to-peer skillz)
• Showing the world the amazing things you can do with physical access to a box and that it takes you 60 long secs to painfully rename cmd.exe to utilman.exe: ...priceless

Disk access?

If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.

This isn't a real security hole.

Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.

Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.

This could be useful

I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.

Re:WTF?

You mean like init? gdm? Xorg? sshd?

Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!

danger will robinson.

Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.

Re:WTF?

> While this does require physical access, running
> something as root before login is still incredibly
> stupid.

Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.