Gaining System-Level Access To Vista

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Re:physical access == game over

[_xeno_]

No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

Re:physical access == game over

[Niten]

Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?

And what do you suppose is going to stop the attacker from overwriting whatever program performs this validation, absent full-disk encryption coupled with a hardware security module? (And even then, what if they take a soldering iron to the TPM?)

Face it, if an attacker already has physical access to a system -- to the extent that he can run his own Linux OS on it and mess with the contents of its disks -- then that computer is already, entirely owned. This is true for Linux, it's true for OS X, it's true for BSD, and it's true for Windows. That's just the way computers work.

The only iceberg here is the massive crashing reality that a physically unsecured computer system is, well, insecure. Surprise.

I disagree

[Mostly+a+lurker]

Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?

hooks should be in service or drivers

[DrYak]

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges. Yeah. But microsoft's own good practice recommendation is that this kind of hooks need to be placed in a driver or a service (it self installed with the necessary privileges). And that the program that needs the access stay with low privileges and only access what it needs through the API exposed by the privileged service/driver.

That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.

It's just strange how Windows can't even follow their own recommendations.

Nothing new?

[Peer]

Looks alot like this:

http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/

Only thing new is using Linux to rename the file.