Slashdot Mirror
Gaining System-Level Access To Vista
An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."
Allow full root access
Cancel or Allow...
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
How is this news?
just to go through all that research just to find a way to switch all Windows Vista cursors with the "busy" rotating wheel to confuse their users, come April Fool's Day.
A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"
This same trick has been used (years ago) on previous versions of Windows. It's nothing new
This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.
Not a typewriter
The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.
Now if someone manages to do this from the outside, that's news.
... IN ALL WINDOWS VERSIONS!
:)
:)
I've done this in 3.1/95 with the SHELL= variable, in 98 replacing explorer.exe, etc, and in 2000/xp by replacing the accessibility tools. (I forget the name, but try pressing shift 5 times before you login with windows XP - or after and use task manager to see what comes up)..
Writing this from linux or i'd check
very nasty in computer labs
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
A "security hole" that requires physical access to the computer and most likely requires root access (since you need to rename some system files)?
Wow, I'm impressed. Who is the genius that discovered this?
Didn't NT have a similar issue with the screensaver?
n/t
So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.
There's no place I can be, since I found Serenity.
... there seem to be a few of these "name related" hacks in Vista. Files with the string "setup" in their name are recognized as potential installers and are handled differently by the OS. We were able to work around an installation issue in Vista by renaming the installation .exe file something else. One look at this and I said to myself "WTF? Is this any way to secure an OS?"
That is all.
With the NTFS-3g Linux driver, a minimal Linux distro could be cobbled together to simply launch a script to accomplish the hack without having to learn complicated *NIX stuff.
...
Since you need physical access for this hack, no one in their right mind would ever touch someone else's computer and Vista is the most secure operation system ever offered by Microsoft, this is obviously just an undocumented "interoperability" feature
boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system.
I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed.
people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/
Yep, there's the main problem right there. While everyone tries to pass this off, having access to a root account like this is pretty scary. Considering bitlocker is a feature for the business end of windows vista, most of the other versions are pretty much vulnerable. Hopefully they get this fixed soon.
This has been well-known for a LONG time - you can rename cmd.exe to Magnify.exe and then run it from the Accessibility options at the login screen. Then you can do whatever you could normally do with a command prompt process run by System - like for example, run "control Userpasswords2" and change/reset anyone's password.
WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
IIRC there were various methods of bypassing login on Windows XP by renaming ntlogin.scr to something else, then renaming cmd.exe to ntlogin.scr. Not exactly the same hack and it has different consequences.
A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.
Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).
It was a copy, not a rename.
Not to let basic facts get in your way.
Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!
danger will robinson.
Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.
> While this does require physical access, running
> something as root before login is still incredibly
> stupid.
Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.
Sig Battery depleted. Reverting to safe mode.
This is only useful if you have physical access to the machine and can remove the case (in case of BIOS passwords and boot order priority favoring the hard drive before anything else). So it can only be used in the case where you have a) forgotten all the passwords relative to that machine or b) don't have passwords to that machine.
Even in a networked environment, this access gets you very little, as a local machine admin still has no privileges on the network. So the best you can hope for here, is that the user keeps sensitive data on their local machine.
My twitter
My knowledge of modern windows (XP, Vista) isn't very good, but I've always been under the impression Administrator==root. Is that not so? Is System Access "root" or is there a more powerful level? What are the differences between Administrator, System Access, and any other more powerful levels?
Also, how do I get "root" or the most powerful level of access to an XP machine?
There are 11 types of people, those who know unary and those who don't.
Its a well known fact that Microsoft will not fix many security holes it finds until they have been made public. I'd much rather have them forced into releasing the patch soon, as opposed to a few black hat researchers knowing and exploiting this for many years until someone else publically posts the information.
If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.
I.O.U One Sig.
I have 5 mod points...can I mod down the OP for being completely moronic?
This attack is ancient. It used to be done in Windows 2000 by replacing the logon screen saver with cmd.exe and waiting 5 minutes.
With the ability to boot up a LiveCD, wouldn't retrieving the NTLM password hashes and cracking the passwords with rainbow tables a better idea? The process can be done with Ophcrack within minutes on a modern PC. That way, the attack gains access to the local Administrator account but leaves no traces behind (i.e. no modification of system files).
The Administrator account would then allow the attacker to login into Vista and launch cmd.exe at System-Level. This can be accomplished by using the Task Scheduler at.exe to run cmd.exe at the next minute.
w00t
Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.
Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.
unless you encrypt your disk, if an attacker can cause your computer to boot off of his own media, it's all over.
if someone has installed the recovery console on the machine you can boot the recovery console using boot options screen. step two is to rename the said files, step three is of course 'profit'
This reminds me of the old Mac Control security application. It used an extension to lock out access to applications, except for a password entry dialog application. The dialog application had a special creator attribute. I simply set the creator attribute for a copy of norton disk editor which was great for fixing just about anything I wanted.
...that this post is about the fact that not much have changed since previous versions of windows, rather than showing off the "attack", since this obviously is a trick that has worked before and is still working. At least that's how I see it.
You're not very good at puzzles, are you? First you get one piece, here it is the ability rename an executable to execute a privilege escalation. The next piece is for anybody to find... a way to remotely rename an executable while it is being used, or during reboot, or something else more clever than one minute of my thinking during this reply.
Your questioning follows the "who cares if water expands when it freezes?" line of thinking. You're missing the second part, the idea that you have to pour it into something before it freezes in order to break that something without effort.
SYstem access (I know, *groan)
WARNING: Smartphones have side effects--most of them undocumented.
The bios won't let you boot up a Domain Controller with root access that has valid certificates to connect to an entire security infrastructure.
The bios won't let you boot up any workstation in a Windows Domain, change the local administrator password, then use that escalation to access trusted resources.
Sure, local access is weak security, and you can often boot up whatever software you want with local access, but that's the equivalent of dismembering a body or stealing a car. This is the equivalent of cat burglary, and while you're inside you can do whatever you want, take whatever you want, install whatever you want. There is a difference, and this tactic is more subtle.
It might have been a suggestion that the poster play a lot of Ultimate over the weekend so he/she would have a better chance at doing a fancy Mid-Air Correction on the disc?
Damn, that's like 3 minutes faster than taking out XP.
I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.
As the other dude noted, every user login process runs as root on *NIX systems. You know, because they have to. If you have sshd installed, then you have a process that runs as root accepting network connections!
Also note that if you run "su" or "passwd" as an unprivileged user, you are suddenly executing code with root privileges.
It's entirely expected that the login process runs as a super user. The only reason this is a problem is because it invokes an external command under the assumption that the external command is safe to invoke with elevated privileges. Possibly they can change it to run it with lower privileges, though it may have difficulty interacting with the logon desktop in that case.
Another possible fix would be to store a checksum for the accessibility helper program within the logon process, and verify the binary it's about to execute matches that checksum. Or embed the helper within the logon process.
Anyway, the point is the logon process always has high access to the system so it can verify the user's credentials and then start a new session as that user. Any code of this sort needs to be thoroughly audited to ensure there's no bugs that can be exploited by the user to run things they're not supposed to be able to.
One is, of course, because it's Windows and Slashdot has this pathological need to post anything and everything they can find that makes Windows look bad, even if it is completely made up/false.
However the other is that it seems that many geeks misunderstand security. They think that perfect security is something you can actually have, that a system can actually be invulnerable from attack. So any attack is news in their minds since they've never thought it through. This is quite evident from the comments any time a site gets hacked and there is the attitude of "It is your fault if you are stupid enough to get hacked." I always like to ask if they'd take the same view if I broke in to their house, which would be extremely easy (almost nobody has good home security).
As you noted: When there's physical access to the system, all bets are off. Any OS level security isn't any good since the drive can just be removed and accessed directly. Heck, that's how we do data recovery at work. We don't even try to figure out if the problem is OS configuration or an actual disk error. The disk comes out, goes in to our recover system, and we get the necessary data off. Data first, diagnosis later. Once the data is safely off, then I worry about what actually went wrong.
All security is just a matter of trying to be secure enough that anyone who wants at what you are securing can't or won't spend the effort to defeat it. There's no perfection. Even something like full disk encryption. Yes, this will defeat something like this, and also defeat someone grabbing the drive and reading it. However if they really want it, they just grab you too and force you to hand over your password. If the data was important enough that you had to plan for that contingency, you get some body guards to keep you safe. However then they simply kill your guards and get you... etc.
Basically there isn't a be-all, end-all of security, where you are safe against everything. There is only being secure to the point that anyone who wants what you have, doesn't have the ability to get it.
I don't see anything needed to be fixed here. There is simply no need to patch anything.
In this particular example, it is not a security hole. Every operating system has this weakness. Anyone can do the same thing to a UNIX based OS. If I gain physical access to your computer, it doesn't matter how secure your OS is. The fact is it will break for sure.
It's news because it makes Vista sound bad, damnit. We're nerds, we can't just come out and say: "Vista sucks, and you do too." Instead, we've got to pick nits for hours at a time about the different reasons Vista sucks and why you suck for running it. And while we're on the topic of nitpicking you suck at nitpicking although your use of boolean operators is impeccable.
--
Givapedia - the Charitable Encyclopedia
Slashdot and Slashdot History
so the real question is "how does Vista - Microsoft's secure operating system compare to something like SE-Linux?", I dIon't specifically know about SE-Linux, but from what I understand the usability processes would only be able to access dependencies - limiting the damage caused by this sort of thing.
Under the influence of Post-Cyberpunk Gonzo Journalism
My porn! My precious porn!!
"The fight for freedom has only just begun." - Geert Wilders
If you already have root access, passwd does not prompt you for the old password. His method is sound.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
This is just like saying, if I let a stranger into my house, I should be absolutely SHOCKED if anything gets stolen.
If you can rename cmd.exe to Utilman.exe, you must be already an Administrator. An Administrator owns the computer, by definition. There is no "higher level" of access, there are even documented ways how Administrator can gain access to System account.
Administrator owns a Windows box. News at 11.
This is a technique I've always been a fan of. On Linux, you can install a module as a back door and configure it to load, Windows it's exploit a handicap feature. On Mac last time I had to reset the root password, I used a similar approach.
This type of hacking is always nice, but of course this is a hack which requires physical access and can generally be avoided using full disk encryption.
Still nice to see a new, effective way to change the Administrator password, could save me hours screwing with making a new BartPE with the right drivers.
So every OS should run tasks at root level without some form of verifacation first? I'm not saying the Linux does this (I have no idea), but in general, its a bad idea for this to happen.
This story is both inaccurate and stupid.
Requiring the equivalent of 'root' level access (physical access to computer, or Administrative access to rename protected files) to enable an equivalent scenario is never a security hole.
On the inaccuracy; SYSTEM and a user with any of the 'Own the Computer' special privileges (elevated Vista Administrator, or a XP Administrator) are really equivalent.
The "It rather involved being on the other side of this airtight hatchway" series:
http://blogs.msdn.com/oldnewthing/archive/2007/09/20/5002739.aspx
http://blogs.msdn.com/oldnewthing/archive/2007/08/07/4268706.aspx
http://blogs.msdn.com/oldnewthing/archive/2006/05/08/592350.aspx
To my (limited) knowledge it is impossible to switch off the boot from dvd/cd option on a mac, at least this feature is hidden very well. Thereby all users with physical access and a valid installation dvd can hack your mac. Your favorite ueberhacker ;-)
If "Step #1" of any hacking scheme is "Gain physical access to the hardware", it's really not worth mentioning here.
You too can own your own machine. This has to be the lamest thing I've ever seen on Slashdot.
this is not a security hole
this is a feature
which helps you recover data after you forgot your password.
Don't forget the master linux password which lets you change any administrator pass
Another possible fix would be to store a checksum for the accessibility helper program within the logon process, and verify the binary it's about to execute matches that checksum. Or embed the helper within the logon process.
Nope. Worthless. You'd just swap in a patched version of the 'logon process' with the necessary checksum. Or with the code to check the checksum removed. And if it checks itself, or something else checks it first to detect this tampering... you just keep going backwards. Sooner or later something loads 'first'. And if -that- is compromised, game over.
Any code of this sort needs to be thoroughly audited to ensure there's no bugs that can be exploited by the user to run things they're not supposed to be able to.
That's true. But no amount of auditing can prevent someone with physical access to the machine from replacing the logon software itself with their own, that does whatever they want it to do.
The only way to do that is to have the whole 'trusted computing platform' where a tamper proofed bios will only run signed code -- like what we have with game consoles. Where going 'back to the first process that does checking' (as described above) is the hardware itself. Where, if its done well and exploitable software bugs can't be found, you'd have to physically modify the hardware itself, e.g. solder in a 'modchip' to get it to boot/run something that isn't authorized, or bruteforce the digital signing keys... or something like that.
Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?
Yeah, that's it for me. No more BIOS or boot-loader. From now on, I'm copying in those bits by hand with a specially built system of toggle switches and LEDs that interfaces directly to the MoBo. You can be d***ed sure you have to enter the root password before you can access that system. Then I can go to work on trading in the lock on my front door for something that requires root, or better yet, 3 factor auth with an RSA key fob.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Wasn't there a similar exploit a few years ago on windows 2000. Auto start of CDs was enabled even when nobody was logged in. If you put a cd with a .bat file in the cd tray, it would start the file which copied cmd.exe to the screensaver file. Wait a couple of minutes, and when the screensaver was supposed to be activated, a command prompt with administrator privileges pops up.
That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.
It's just strange how Windows can't even follow their own recommendations.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
this is an uberlame post... here's why... this vulnerability is widely known since WINDOWS NT 4.0 (and yes it IS vulnerable along with win2k and xp and 2003) tha fact that he claims that only vista is vulnerable disclose that he doesn't even understand the trick... recipe foe windows nt4: copy c:\winnt\system32\default.scr c:\winnt\system32\default.scr_ && copy c:\winnt\system32\cmd.exe c:\winnt\system32\default.scr after the trick logoff and wait 15 mins: the cmd will popup instead of the screensaver (nt authority\system by the way) . recipe for win2k/XP/2003 copy cmd.exe to c:\windows\system32\sethc.exe then at the login prompt push 5 times the right-shift, a cme will popup with a sexy sound... (system access) with vista/server 2008... I'd suggest to copy cmd.exe to osk.exe (on-screen keyboard) it is less likely a user will discover the backdoor. very very old tricks.... nicola del vacchio mcse/cissp
Even with local access, a bios password should be set to make it less easy to boot from other devices. This wouldn't be possible without access to the file system from outside of the Vista. Bios passwords aren't impenetrable but they certainly can help a lot with physical access. Stopping physical access is all very well for servers but for end user desktop systems, that is hardly practical. Where necessary, boot media devices could be physically restricted such as DVDROM/USB in addition to BIOS settings.
You mean like:
...[booting messages, ending with]...
[Switch on machine, POST test, ending with boot sequence:]
LILO> linux 1
#
?
Normal coding practice as recommended even by Microsoft themselves asks for this kind of access being done by a service or a driver, and the application should remain unprivileged and only use the API exposed by the service/driver. That's for example how every hardware sensor monitoring software does in Windows.
The situation of the vista accessibility tools would be more similar to having SUID activated on random applications. That's something that is currently being avoided, instead people rely on kernel modules (for exemple : hardware monitors, virtual machines, etc.) or on services started with correct privilege (monitoring harddisk and raid) and the actual software using those.
The real WTF isn't that privilege was gained in Vista (after all, that what always end up happening when physical access is possible). The real WTF is that the application used in the mechanism runs at system privileges whereas it shouldn't.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I've used the same technique before to restore an XP system that no one knew the admin password to. Changed the default screensaver .scr to cmd.exe. Just booted to login, made a coffee, when I got back, cmd was open in System user.
Funnily, I think the user rights for System in XP were limited below Administrator.
- xuanyou
In Vista's situation they should have only the critical part needed by the accessibility system running in a privileged context as a driver or as a service (whichever is best suited) and the rest (such as the Accessibility options) should run unprivileged and access whatever they need only using the API.
That's not the case here, the application do run with privileges too.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Anyone else think this is just an advert for some distro. no one much has heard of?
I tried using schtasks.exe as follows:
Somehow, it worked. I got an interactive Command Prompt but it is not running as System-Level. This is the same as running the "Command Prompt" shortcut, then right-click, choose "Runs as administrator".
Any clues?
w00t
w00t
Another way of doing this is to change the screensaver file (c:\Windows\logon.scr) to a cmd.exe
but renamed as logon.scr...
The only problem with that last one is waiting enough time for the screensaver to run...
When it does, just press ctrl+tab to appear in windows SYSTEM access desktop.
That last one can be sued in XP as well and was never fixed.
(And for the stupid mods in the crowd, yes, I checked the UIDs. Someone's been on a 3-year sabbatical and hasn't readjusted to
Never attribute to Hanlon that which can be adequately attributed to Heinlein.
What a load of rubbish. So some guy has physical access and breaks the underlying OS. Whoa, extreme hax dude. You can do this on any OS on any platform as long as you have physical access.
!news
Super Awesome Broadband
(Anonymous/Coward is actually Anonymous/and Wise)
Whole disk encryption seems to be the answer. I use the freeware TrueCrypt. The only problem I have found with TrueCrypt is that it takes 3.5 minutes to get my Vista to boot. XP boots instantly with TrueCrypt.
Enable chasis intrusion in the BIOS
Password protect the BIOS
Put a lock on the case.
Not perfect, but it makes this a lot harder and a lot easier to detect.
The clip is made with "Camtasia", a program from TechSmith inc..
:-)
But that product is only available for Windows, so how was it used to capture a screen video of a Linux computer? And how was it used to show a Vista computer booting (since presumably the Camtasia ScreenCam software cannot be loadet at that time)?
No flaming intended - this is an honest question.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
...that a lock isn't designed to keep dishonest people out. It is designed to keep honest people from trying.
ANY lock can be defeated. No lock on this planet is hackproof. As far as digital locks are concerned (what we seem to have gone off on a tangent with here rather than the OP) they're only as secure as what happens before the OS is loaded. If the OS is on the same partition as the data which needs protecting, well, that lock is about as useful as a chocolate fireguard. The second that OS starts loading or any other (liveCD) OS mounts that drive, the encryption is shown for the snake oil that it is.
Operation Guillotine is in effect.
I have an exploit for getting complete access to anyones house and all their posessions.
All you need if for the owner of your house to give you their keys, the codes to disable the burglar alarm, the name of the dog so that you can woo him with "ahhh, Rex, what a nice puppy you are", and hopefully let you know in advance when they will be on holiday, so you won't be disturbed.
WOW, I AM THE HAXXOR OF ALL YOUR HOUSES. ALL YOUR HOUSE BELONG TO US.
FFS, enough with these non-exploit exploits.
Anyone who has physical access to your PC means it's owned already. They can rip off the cover, add in a 2nd hard disk, swap over the disks in BIOS and boot, and still have access to all your files.
Isn't this just another case of some "security researcher" shouting to the world "what a clever boy I am" ?
Sheesh. When I first heard about this trick, it was done by replacing the logon screensaver (logon.scr) with cmd.exe under NT4 SP6.
No doubt next thing we'll be hearing about the amazing new idea of dumping a malicious file called "My.exe" in the root of the C drive.
I've got an even more potent hack:
1. Insert ANY Linux boot disc
2. Replace Vista with Linux
3. wait for the weak-ass installer to finish
4. ???
5. SYSTEM LEVEL ACCESS!!!!!!!
Any imbecile can rootkit an OS if they have boot access to the damned thing. Now I'm going to go break into my own car by reaching through the open window and pushing the unlock button! OMG l33t!
-Billco, Fnarg.com
In other news, given physical access a user can get root access to a Linux box. To accomplish this, the user renames /bin/sh to /sbin/init â" this is the program that makes sure that anything ever gets done on a Unix system. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Unix-like systems are.
If you cross reference the first three octets of the MAC address, you can come up with the Organizationally Unique Identifier, or OUI. That can be x-refed to a chart of manufacturers and therefore can be used to "fingerprint" many network devices.
Grandpa: My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
probably the most ridiculous "hack" ever.. its basically hacking a system to which you already have access.. lame.
Just copy the password files and crack them at you leisure. No need to install some extra software that might get noticed. Take the password files and leave no trace you were there.
Looks alot like this:
http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/
Only thing new is using Linux to rename the file.
I'm no security expert, but this is pretty weak, as mentioned previously here.
Am I the only one that thinks he types way too slow. jeez, lrn2type.
See the problem with that is that you had to use someone else's program to do this - it wasn't just something you could do. Someone had to reverse how the SAM was storing passwords blah blah. Plus now you have hosed up your "friends" password and he will know you have been playing on his machine when he gets back. See, that's not really kewl....
:-P
What you should have done that would have been more impressive would be to boot off a Linux CD and rename the SAM file. Then when the machine was booted again the Administrator password would have been BLANK. You could then have retrieved whatever information you wanted from your "friends" computer, renamed the SAM back to it's correct name, and when he returned his password would have been the same. This would have been much nicer for your "friend" and far more impressive since you would not have had to rely on someone reversing the password storage format of the SAM file - which BTW has changed a few times. Microsoft even started using SALT, the nerve!
Anyway, the rename method would have worked out of the box without any "boring" reverse work on someone else's part and would take advantage of a stupid oversight on Microsoft's work - just like this hack does. FWIW, I LIKE Vista and know that in general it's more secure than XP. That Microsoft was so STUPID as to allow something like this to work doesn't surprise me but it does dissapoint me. Hopefully they don't fix it before I've had a chance to show a "friend" how it works
Build it, Drive it, Improve it! Hybridz.org
All bets on security are off when the attacker has physical access, end of story.
And THIS is why 2-part protection is the best way to go. A USB or othe rdevice you keep on your person and a password you keep in your head. By all means slap a keylogger on there, it will not retrieve what has been stored on the physical device. Better yet use one of those FOBS with the rolling numbers and you cannot simply copy the device while the person sleeps. Probably some vulns there too but geez just how far you willing to go here? (lol)
Build it, Drive it, Improve it! Hybridz.org
It is pretty sad when all they do around here is basically criticize the U.S., give NASA crap and kiss the EU's ass, daily FUD about MS and the daily copyright/RIAA.
Yeah, it's pretty sad how some folks actually care enough about the country being destroyed by politicians, lawyers, and monopolistic companies that they are motivated enough to complain about it.
Just blindly accepting the downward spiral of the nation would be so much cooler.
Soldering iron to the TPM? The TPM has to be unlocked to get the key to unlock the encrypted partition. The TPM has to take "measures" on the hardware before it will unlock. Simply swapping out the TPM with a "soldering iron" buys you nothing - you have removed the one device that would, in a properly setup system, contain the key to the crypto!
You really ought to read up on TPM, it's a bit stronger than you have ASSumed. That's *if* the vendors have followed th espec, not backdoored THEIR drivers, and the crypto is really as good as they say etc. Lots of ifs but there's nothing better that I'm aware of IF you can manage to get it all setup correctly. Heh, bet that's a picnic!
Build it, Drive it, Improve it! Hybridz.org
What's purple and commutes? An Abelian grape.
I mostly agree with what you're saying however the checks and balances brought to the table by properly setup TPM push the bar so high that an attacker is going to have to be damned near a state supported entity to get the job done! :-O At what point do you declare enough is enough? I won't go into a dissertation as to how TPM works as it's lengthy and I'd probably screw it up but you're nto going to be able to just go in and modify how that hardware works to get past it easily. I don't 100% trust it or the vendors supporting it but it does look on the surface like some fairly high effort will be required to get past it.... if it's properly setup (heh)
Build it, Drive it, Improve it! Hybridz.org
No no, he ment Mandatory Access Control!
Quisque verborum suorum optimus interpres...
Add this line in the bootloader...
/bin/bash, but /bin/sh or any valid shell should work.
init=/bin/bash
It bypasses the init process (and all of the login requirements therein) to dump you straight to the *bash shell.
*Assumes bash is in the path
As long as you can write on the filesystem you can do whatever you want with the system, on XP you can install a special crafted GINA DLL logging you in as any user you want, you probably can add a service running as LocalSystem in the registry and even get remote access to the machine this way. In linux you could replace init by sh and you'll be root. File system encryption will indeed be a problem, provided the user cannot find a way to get the key because if vista doesnt prompt the user for a key, its obviously stored somewhere.
Roll back the clock a couple of decades. Microsoft was the #2 violator of the Macintosh programming standards and rules. #1, of course, was Apple . . .
Thus on system software changes, guess which two manufacturers' software broke the most often.
hawk
When booting select single user mode on GRUB and you can get root! No kidding! Proof that Windows has better security than linux!
>However I have to wonder: once you have access to the filesystem, why exactly would you bother booting into Vista and getting yourself a privileged cmd.exe? Why not just access whatever data you want from the other OS?
Here's an example that's come up when I've done forensics work. Suppose you need information such as a stored password that lives in Windows's "protected storage". Conceptually, it's encrypted based on the user's login. You can maybe reverse-engineer the encryption and brute-force the password, or use chntpw to change the password (yes, of COURSE you do this on a copy and not the original) and log in, or bypass the limitations of chntpw and go straight for root access.
>short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine.
Even that doesn't help if the encryption relies on a password rather than a key from some physical token. The person with physical access can just plug in a hardware keylogger and record the password.
I use the free TrueCrypt and do a whole disk encryption. On my XP machine, the boot is instantaneous. On my Vista machine, boot takes 3.5 minutes.
You misspelled "gooed".
Personally, I will only feel safe when I know that Microsoft completely controls what goed on on my PC!
If you have physical access to the machine and can boot a linux disk and you can read/write the main disk, then you can read it, and change anything on it. I'm sure there are millions of things you can do to be able to it to reboot as a usable Windows, or you can just stay in Linux and copy all the secret information you want off the disk.
I just can't see how this is a story. It's not a mistake on Microsoft's part. You can replace init on Linux if you want and reboot with full access.
The page linked to requires Javascript - NoScript prevents it. http://www.offensive-security.com/movies/vistahack/vistahack.html
Unless you take the case off, remove all floppy, cdrom, usb, firewire cables and then seal your pc in about 50kg of cemeric chip compound, youre not going to stop anyone with physical access getting in your machine...
It just aint going to happen.. physical access == all bets are off
The only ones who realy care about security, have something sufficiently valuable to protect and the technical know how to do it are generally enterprises. Bit locker, TPM and 2-factor ID are complex and generally beyond the capability of home or small businesses. Even if bit locker was available on home I don't think many people would use it (most home users don't even use passwords.)
Microsoft software is really targeted at an enterprise ecosystem--that's why you really see big deployments of non-MS software at large (> 1000 employees) firms.
We fear social contact so much we need to find hacks so we don't have to talk on the phone.
what you think that SE-Linux doesn't run init? every OS has to run processes before the system is logged onto otherwise what the hell is supposed to process the logon. This is not a security issue in the sense of the OS so comparing SE to vista is a moot point as they are both equally vulnerable to someone having physical unfettered access to change the disks content.
Given you have to already be an admin to do this (assuming you don't have physical access) this isn't really surprising.
Guess what, if you are root on linux you can rename files to start up in the same way.
If a security 'threat' needs you to be admin first or have physical access then it is not a threat, because you already have the prvilege you need.
For example admins can use the AT scheduler to pop up a command window as system at their time of choice etc.
The original poster is an idiot.
perhaps an allow or deny screen before executing the magnifier would have made them think twice? ;)
Has anybody noticed that the first post is usually just a piece of junk? I think it's because it takes more time to create a good post then piece of junk.
Martin
Is there anything it can't do?
Just rename cmd.exe to the name of the logon screen saver and wait five minutes, same effect.
actually, it's 'mission impossible' - not james bond. you got your spies mixed up...
Ask Me About... The 80's!
Yes, linux can decrypt bitlocker volumes
Understanding the Internals of BitLocker Encryption system Vista .
NVbit is a linux fuse driver to access Windows Vista's Bitlocker Volumes from linux, provided you have the right keys.
A white-paper and supporting presentation is also available.
The research was done around an year ago.Work was stopped prematurely, Don't expect things in clean/finished shape.The code is in alpha state.
Both the paper and presentation are incomplete draft versions. However, missing things can be referred from nvbit source code.NVbit allows read-only access.(Though writing can be done just in reverse order but still it doesn't exist for now).
check these links
http://ww.nvlabs.in/node/9
http://www.nvlabs.in