Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaining System-Level Access To Vista

Posted by kdawson on from the seems-too-simple-somehow dept.

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

3 of 412 comments (clear)

  1. Re:physical access == game over by _xeno_ · · Score: 5, Interesting

    No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

    Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

    Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

    --
    You are in a maze of twisty little relative jumps, all alike.
  2. I disagree by Mostly+a+lurker · · Score: 5, Interesting

    Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?

  3. hooks should be in service or drivers by DrYak · · Score: 5, Interesting

    The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.
    My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges. Yeah. But microsoft's own good practice recommendation is that this kind of hooks need to be placed in a driver or a service (it self installed with the necessary privileges). And that the program that needs the access stay with low privileges and only access what it needs through the API exposed by the privileged service/driver.

    That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.

    It's just strange how Windows can't even follow their own recommendations.
    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]