Slashdot Mirror
Gaining System-Level Access To Vista
An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."
Allow full root access
Cancel or Allow...
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
How is this news?
A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"
This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.
Not a typewriter
The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.
Now if someone manages to do this from the outside, that's news.
So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.
There's no place I can be, since I found Serenity.
... there seem to be a few of these "name related" hacks in Vista. Files with the string "setup" in their name are recognized as potential installers and are handled differently by the OS. We were able to work around an installation issue in Vista by renaming the installation .exe file something else. One look at this and I said to myself "WTF? Is this any way to secure an OS?"
That is all.
boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system.
I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed.
people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/
This has been well-known for a LONG time - you can rename cmd.exe to Magnify.exe and then run it from the Accessibility options at the login screen. Then you can do whatever you could normally do with a command prompt process run by System - like for example, run "control Userpasswords2" and change/reset anyone's password.
WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.
Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).
Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!
danger will robinson.
Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.
> While this does require physical access, running
> something as root before login is still incredibly
> stupid.
Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.
Sig Battery depleted. Reverting to safe mode.
My knowledge of modern windows (XP, Vista) isn't very good, but I've always been under the impression Administrator==root. Is that not so? Is System Access "root" or is there a more powerful level? What are the differences between Administrator, System Access, and any other more powerful levels?
Also, how do I get "root" or the most powerful level of access to an XP machine?
There are 11 types of people, those who know unary and those who don't.
If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.
I.O.U One Sig.
With the ability to boot up a LiveCD, wouldn't retrieving the NTLM password hashes and cracking the passwords with rainbow tables a better idea? The process can be done with Ophcrack within minutes on a modern PC. That way, the attack gains access to the local Administrator account but leaves no traces behind (i.e. no modification of system files).
The Administrator account would then allow the attacker to login into Vista and launch cmd.exe at System-Level. This can be accomplished by using the Task Scheduler at.exe to run cmd.exe at the next minute.
w00t
Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.
Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.
You're not very good at puzzles, are you? First you get one piece, here it is the ability rename an executable to execute a privilege escalation. The next piece is for anybody to find... a way to remotely rename an executable while it is being used, or during reboot, or something else more clever than one minute of my thinking during this reply.
Your questioning follows the "who cares if water expands when it freezes?" line of thinking. You're missing the second part, the idea that you have to pour it into something before it freezes in order to break that something without effort.
I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.
One is, of course, because it's Windows and Slashdot has this pathological need to post anything and everything they can find that makes Windows look bad, even if it is completely made up/false.
However the other is that it seems that many geeks misunderstand security. They think that perfect security is something you can actually have, that a system can actually be invulnerable from attack. So any attack is news in their minds since they've never thought it through. This is quite evident from the comments any time a site gets hacked and there is the attitude of "It is your fault if you are stupid enough to get hacked." I always like to ask if they'd take the same view if I broke in to their house, which would be extremely easy (almost nobody has good home security).
As you noted: When there's physical access to the system, all bets are off. Any OS level security isn't any good since the drive can just be removed and accessed directly. Heck, that's how we do data recovery at work. We don't even try to figure out if the problem is OS configuration or an actual disk error. The disk comes out, goes in to our recover system, and we get the necessary data off. Data first, diagnosis later. Once the data is safely off, then I worry about what actually went wrong.
All security is just a matter of trying to be secure enough that anyone who wants at what you are securing can't or won't spend the effort to defeat it. There's no perfection. Even something like full disk encryption. Yes, this will defeat something like this, and also defeat someone grabbing the drive and reading it. However if they really want it, they just grab you too and force you to hand over your password. If the data was important enough that you had to plan for that contingency, you get some body guards to keep you safe. However then they simply kill your guards and get you... etc.
Basically there isn't a be-all, end-all of security, where you are safe against everything. There is only being secure to the point that anyone who wants what you have, doesn't have the ability to get it.
My porn! My precious porn!!
"The fight for freedom has only just begun." - Geert Wilders
If you already have root access, passwd does not prompt you for the old password. His method is sound.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
this is not a security hole
this is a feature
which helps you recover data after you forgot your password.
Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?
Wasn't there a similar exploit a few years ago on windows 2000. Auto start of CDs was enabled even when nobody was logged in. If you put a cd with a .bat file in the cd tray, it would start the file which copied cmd.exe to the screensaver file. Wait a couple of minutes, and when the screensaver was supposed to be activated, a command prompt with administrator privileges pops up.
That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.
It's just strange how Windows can't even follow their own recommendations.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
On PowerPC it's possible to set a CD boot password in Open Firmware. (use command-option-O-F at startup to get the Open Firmware command prompt) However, Open Firmware's settings can be reset by changing the amount of RAM in the system (adding/removing a DIMM), so physical access is a problem even there.
I don't even know if there's an equivalent to the Open Firmware command prompt in EFI.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I've used the same technique before to restore an XP system that no one knew the admin password to. Changed the default screensaver .scr to cmd.exe. Just booted to login, made a coffee, when I got back, cmd was open in System user.
Funnily, I think the user rights for System in XP were limited below Administrator.
- xuanyou
You can also set a password for EFI on Intel-based Macs.
See http://support.apple.com/kb/HT1352
(also covers setting the password on Open Firmware PowerPC)
Enable chasis intrusion in the BIOS
Password protect the BIOS
Put a lock on the case.
Not perfect, but it makes this a lot harder and a lot easier to detect.
The clip is made with "Camtasia", a program from TechSmith inc..
:-)
But that product is only available for Windows, so how was it used to capture a screen video of a Linux computer? And how was it used to show a Vista computer booting (since presumably the Camtasia ScreenCam software cannot be loadet at that time)?
No flaming intended - this is an honest question.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Looks alot like this:
http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/
Only thing new is using Linux to rename the file.
See the problem with that is that you had to use someone else's program to do this - it wasn't just something you could do. Someone had to reverse how the SAM was storing passwords blah blah. Plus now you have hosed up your "friends" password and he will know you have been playing on his machine when he gets back. See, that's not really kewl....
:-P
What you should have done that would have been more impressive would be to boot off a Linux CD and rename the SAM file. Then when the machine was booted again the Administrator password would have been BLANK. You could then have retrieved whatever information you wanted from your "friends" computer, renamed the SAM back to it's correct name, and when he returned his password would have been the same. This would have been much nicer for your "friend" and far more impressive since you would not have had to rely on someone reversing the password storage format of the SAM file - which BTW has changed a few times. Microsoft even started using SALT, the nerve!
Anyway, the rename method would have worked out of the box without any "boring" reverse work on someone else's part and would take advantage of a stupid oversight on Microsoft's work - just like this hack does. FWIW, I LIKE Vista and know that in general it's more secure than XP. That Microsoft was so STUPID as to allow something like this to work doesn't surprise me but it does dissapoint me. Hopefully they don't fix it before I've had a chance to show a "friend" how it works
Build it, Drive it, Improve it! Hybridz.org
What's purple and commutes? An Abelian grape.
I mostly agree with what you're saying however the checks and balances brought to the table by properly setup TPM push the bar so high that an attacker is going to have to be damned near a state supported entity to get the job done! :-O At what point do you declare enough is enough? I won't go into a dissertation as to how TPM works as it's lengthy and I'd probably screw it up but you're nto going to be able to just go in and modify how that hardware works to get past it easily. I don't 100% trust it or the vendors supporting it but it does look on the surface like some fairly high effort will be required to get past it.... if it's properly setup (heh)
Build it, Drive it, Improve it! Hybridz.org
Add this line in the bootloader...
/bin/bash, but /bin/sh or any valid shell should work.
init=/bin/bash
It bypasses the init process (and all of the login requirements therein) to dump you straight to the *bash shell.
*Assumes bash is in the path
It is dangerous to be right when the government is wrong.
Roll back the clock a couple of decades. Microsoft was the #2 violator of the Macintosh programming standards and rules. #1, of course, was Apple . . .
Thus on system software changes, guess which two manufacturers' software broke the most often.
hawk