Gaining System-Level Access To Vista

← Back to Stories (view on slashdot.org)

Gaining System-Level Access To Vista

Posted by kdawson on Sunday May 25, 2008 @04:51PM from the seems-too-simple-somehow dept.

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

52 of 412 comments (clear)

Cancel.... by FriendSite.com · 2008-05-25 16:53 · Score: 5, Funny

Allow full root access

Cancel or Allow...
physical access == game over by bersl2 · 2008-05-25 16:55 · Score: 5, Insightful

How is this news?
1. Re:physical access == game over by zonky · 2008-05-25 16:58 · Score: 5, Insightful
  
  Does it bypass the bitlocker/full drive encyption options in vista? Physical access is not always game over....
2. Re:physical access == game over by hcmtnbiker · 2008-05-25 17:09 · Score: 5, Informative
  
  It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.
  
  Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.
  
  The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.
  
  --
  If i had one dollar for every brain you dont have, i would have $1.
3. Re:physical access == game over by sandmtyh · 2008-05-25 17:25 · Score: 5, Informative
  
  it works in xp and 2000... you just have to do the same trick with diffrent file names.
4. Re:physical access == game over by _xeno_ · 2008-05-25 17:40 · Score: 5, Interesting
  
  No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)
  
  Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!
  
  Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)
  
  --
  You are in a maze of twisty little relative jumps, all alike.
5. Re:physical access == game over by Hunter-Killer · 2008-05-25 17:41 · Score: 5, Informative
  
  Parent is correct; been doing this in XP for years with C:\windows\system32\sethc.exe (StickyKeys).
  
  The article wouldn't have been newsworthy if it had merely said "Vista just as vulnerable, nothing new." Especially since the old tricks are often the first things tried with the new OS.
6. Re:physical access == game over by weicco · 2008-05-25 18:12 · Score: 5, Insightful
  
  The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.
  
  My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.
  
  But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!
  
  --
  You don't know what you don't know.
7. Re:physical access == game over by Niten · 2008-05-25 18:17 · Score: 4, Interesting
  
  Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?
  And what do you suppose is going to stop the attacker from overwriting whatever program performs this validation, absent full-disk encryption coupled with a hardware security module? (And even then, what if they take a soldering iron to the TPM?)
  
  Face it, if an attacker already has physical access to a system -- to the extent that he can run his own Linux OS on it and mess with the contents of its disks -- then that computer is already, entirely owned. This is true for Linux, it's true for OS X, it's true for BSD, and it's true for Windows. That's just the way computers work.
  
  The only iceberg here is the massive crashing reality that a physically unsecured computer system is, well, insecure. Surprise.
8. Re:physical access == game over by debatem1 · 2008-05-25 18:36 · Score: 4, Funny
  
  Maybe if you did it to a Vista machine a decade ago, it would have.
9. Re:physical access == game over by Count+Fenring · 2008-05-25 19:09 · Score: 5, Funny
  
  I think we can all agree that any hack involving a time machine is newsworthy.
10. Re:physical access == game over by SynapseLapse · 2008-05-25 19:32 · Score: 4, Insightful
  
  Why so negative? It's interesting because it's a pretty egregious oversight on Microsoft's part and it's a pretty funny workaround. The joy of computers is finding intersting and clever hacks. Exactly how many articles have you posted on /.? How many Vista (A supposedly secure system) loopholes have you discovered?
11. Re:physical access == game over by debatem1 · 2008-05-25 20:20 · Score: 4, Funny
  
  For a while, anyway.
12. Re:physical access == game over by Niten · 2008-05-25 20:40 · Score: 4, Insightful
  
  That is called defence in depth. The attacker should not be able to simply boot and change system files.
  But you still don't seem to understand. Surely you should see the folly in trying to protect the integrity of the contents of a disk, by performing verification using software stored on the same disk? It is a fool's errand, a fundamentally losing proposition.
  
  I thought Vista is touting 'full disk encryption' as a great security feature! If it can be broken so easily, it is an anti-feature.
  It is a great security feature for keeping your data from being read by others if your laptop is confiscated or stolen. It is not a great security feature for keeping someone else from manipulating disk contents without special hardware support -- because in order for the computer to even boot there must be some amount of unencrypted code in the boot sector, and if you can modify that then there always exists a vector for attack.
  
  These are two different types of security you're talking about; you can't just lump it all together.
13. Re:physical access == game over by WWWWolf · 2008-05-25 20:51 · Score: 5, Insightful
  
  Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?
  A bit of a chicken-and-an-egg problem here: How do you propose you authenticate users without a) running the authenticating program as root, having privileges to say "okay, you're user X, let me shift the control over to you", or b) being just as exploitable by giving limited user Y the privilege of saying "okay, you're user X, let me shift the control over to you"?
  
  Linux isn't any better, you know...
  
  # ps axu | grep getty root 4825 [...] /sbin/getty 38400 tty3 root 4826 [...] /sbin/getty 38400 tty4 [...] # ps axu | grep gdm root 10691 [...] /usr/sbin/gdm root 23736 [...] /usr/sbin/gdm
  
  A better question would be to ask, "why is the login application executing random programs anyway?" or, like you said, "why isn't the login application making sure that, when it executes a random program, it actually executes the program it was supposed to execute?" but I suppose the answer to these questions is simple: "sometimes the flexibility is warranted" and "this is getting way too elaborate, giving minimal gains in actual real security" - in short, if you want to make sure utilman.exe isn't messed around with before the boot, the more feasible and elegant solution is to use full-drive encryption (which solves far more problems at one single swat), not mess around with micro-granular annoyances.
14. Re:physical access == game over by dhalgren · 2008-05-25 21:02 · Score: 4, Insightful
  
  Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?
  
  ts7000:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 1.7 1368 508 ? S May25 0:05 init [2]
15. Re:physical access == game over by Richard+W.M.+Jones · 2008-05-25 21:11 · Score: 4, Insightful
  
  Physical access is not always game over....
  
  With physical access you can reflash the firmware in either the BIOS or (eg) an ethernet NIC. The modified firmware will have full access to the system RAM, disks, and just about anything else (because it can DMA to/from memory and any device). So the next time the system is booted and the full-disk-encryption password is entered it is indeed game over.
  
  Rich.
  
  --
  libguestfs - tools for accessing and modifying virtual machine disk images
16. Re:physical access == game over by Kugrian · 2008-05-25 21:15 · Score: 5, Funny
  
  Face it, if an attacker already has physical access to a system -- to the extent that he can run his own Linux OS on it and mess with the contents of its disks -- then that computer is already, entirely owned. This is true for Linux, it's true for OS X, it's true for BSD, and it's true for Windows. That's just the way computers work.
  
  It's much much harder with Linux. First of all you have to work out how to lure the user out of their basement and away from their computer.
17. Re:physical access == game over by Anonymous Coward · 2008-05-25 22:07 · Score: 4, Funny
  
  Not all cripples are crippled all of the time. Sometimes they appear quite normal and then have "spak attacks" which renders them unable to function like real humans. In these cases it is imperative that they can activate sticky keys with their flailing limbs so they can save their work and exit gracefully (well, you know what I mean) from the program.
  
  Your ignorance and intolerance of cripples and mongs astounds me.
18. Re:physical access == game over by Oktober+Sunset · 2008-05-26 00:06 · Score: 5, Funny
  
  I use a 26 char password on a laptop that locks every 5 minutes.
  
  Once you get used to it, it's not too annoying at all.
  
  --
  What if Tetris was invented by Nazis?
19. Re:physical access == game over by deimtee · 2008-05-26 01:27 · Score: 4, Funny
  
  abcdefghijklmnopqrstuvwxyz ?
  
  --
  I'm guessing that wasn't on their radar screen...
20. Re:physical access == game over by ConanG · 2008-05-26 01:57 · Score: 5, Funny
  
  No, it's
  qwertyuiopasdfghjklzxcvbnm
  
  but good guess!
21. Re:physical access == game over by Barny · 2008-05-26 02:27 · Score: 5, Informative
  
  You can also use similar tricks to work around the vista Activation wizard to install drivers.
  
  When vista says "activate now or die" tap shift 5 times, opt to go to accessibility panel, now you have an explorer window running as System, you can jump to control panel, start up all the networking and windows installer services, install those pesky Lan drivers, then exit back and activate windows.
  
  This works so well now because of the heavy integration of explorer/iexplore and the configuration panel scripts.
  
  --
  ...
  /me sighs
22. Re:physical access == game over by karmatic · 2008-05-26 03:33 · Score: 5, Informative
  
  Or, you could just pay for that software you've pirated. See, no more pesky activation dialogs. But of course being Slashdot, that means that it's noble to somehow stick it to Microsoft. Did you actually read the parent? It's possible to get Vista into a state where you can't activate (online) because you lack networking drivers.
  
  Instead of using the incredibly painful phone activation, you can use this to install said LAN drivers and activate.
  
  If you're using a pirate copy, there's no pesky activation dialog either, and if you're using a crack, you don't really need LAN drivers to use it, do you?
23. Re:physical access == game over by dotancohen · 2008-05-26 04:26 · Score: 4, Insightful
  
  I use a 26 char password on a laptop that locks every 5 minutes.
  
  Once you get used to it, it's not too annoying at all. I'm sure that a cellmate love affair would not be too annoying at all after you get used to it, but there are some pleasures that I just do not want to get used to.
  
  --
  It is dangerous to be right when the government is wrong.
Is this how it was planned? by websters · 2008-05-25 16:55 · Score: 5, Funny

A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"
1. Re:Is this how it was planned? by totally+bogus+dude · 2008-05-25 18:06 · Score: 5, Insightful
  
  Not really, the kernel is just a file or two. If you insist, then rename init to something else (e.g. a shell) and you'll get a similar effect on Linux. Or modify the inittab to run a logged-in root shell on one of the vty's. If you really think this is some special OMG VISTA IS SO INSECURE COMPARED TO EVERYTHING ELSE flaw, then you don't understand the "problem" at all.
  
  However I have to wonder: once you have access to the filesystem, why exactly would you bother booting into Vista and getting yourself a privileged cmd.exe? Why not just access whatever data you want from the other OS? Or does "unencrypted hard drives can be read and modified using other computers" not make a good enough headline?
  
  This whole thing is so completely and utterly pointless it's probably created a black hole.
2. Re:Is this how it was planned? by rdebath · 2008-05-25 18:59 · Score: 4, Informative
  On your second point, encrypted filesystems. If the filesystem is encrypted but the user knows the password they can:
  
  Remove the hard disk from the machine (to get past BIOS restrictions)
  
  Boot with another OS copy and use their password in that OS to unencrypt the hard disk.
  
  Encryption is designed to protect against people who don't know the password to the disk. The only way you can arrange this for people who logon to the machine is if physical to the machine doesn't mean physical access to the keys .. ie TPM. Even then it's uncertain as when you're logged into the machine the plaintext disk key must be available to the OS.
  Likewise, if the password the user enters is poor and the 256bit key is available on the hard disk (no "keyfob") you can probably get over 100bits of plaintext for a dictionary search from just the boot sector of the harddisk.
  So to avoid the attack in the FA from a third party you either need a good FDE password, so the on-disk key is used only for password changing or a keyfob that cannot be left in the machine.
  Against the user of the machine it's TPM and prayer.
Physical Security by hardburn · 2008-05-25 16:57 · Score: 4, Insightful

This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.

--
Not a typewriter
PANIC by Profane+MuthaFucka · 2008-05-25 16:59 · Score: 5, Insightful

The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!

--
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
1. Re:PANIC by jhdevos · 2008-05-25 17:39 · Score: 5, Funny
  
  Right... They should think of some system where the BIOS will only load code that was digitally signed somehow, so these atrocities are no longer possible. Personally, I will only feel safe when I know that Microsoft completely controls what goed on on my PC!
If you can write the raw disk... by Animats · 2008-05-25 17:00 · Score: 5, Insightful

Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.
Now if someone manages to do this from the outside, that's news.
Oh... by kasparov · 2008-05-25 17:04 · Score: 4, Informative

So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.

--
There's no place I can be, since I found Serenity.
DUH..... this works in 2000 and xp as well by sandmtyh · 2008-05-25 17:14 · Score: 5, Informative

boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/
This is news? by atari2600 · 2008-05-25 17:18 · Score: 4, Informative

A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.

Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).
Re:WTF? by fabs64 · 2008-05-25 17:24 · Score: 5, Insightful

You mean like init? gdm? Xorg? sshd?
Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!
danger will robinson.
Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.
Re:WTF? by icebike · 2008-05-25 17:25 · Score: 5, Insightful

> While this does require physical access, running
> something as root before login is still incredibly
> stupid.

Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.

--
Sig Battery depleted. Reverting to safe mode.
Mastercard Ad by this+great+guy · 2008-05-25 17:29 · Score: 5, Funny
- Getting Camstasia Studio to record your BackTrack & Vista sessions: free (you got the free trial version)
- Downloading a James Bond music to put it in your flash demo: free (you have got crazy peer-to-peer skillz)
- Showing the world the amazing things you can do with physical access to a box and that it takes you 60 long secs to painfully rename cmd.exe to utilman.exe: ...priceless
Disk access? by shird · 2008-05-25 17:34 · Score: 4, Insightful

If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.

--
I.O.U One Sig.
This isn't a real security hole. by kiwioddBall · 2008-05-25 17:44 · Score: 5, Insightful

Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.

Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.
Re:Long weekend... by Anonymous Coward · 2008-05-25 18:06 · Score: 4, Informative

maybe you should shop for a MAC over the weekend Why do people insist on putting Mac in all caps? Like it's some sort of acronym or something? Unless you were suggesting shopping for Media Access Control, in which case I apologize.
This could be useful by WizzardX · 2008-05-25 18:17 · Score: 5, Insightful

I think this is a useful hack. iirc, unlike most other OS's, Vista doesn't give you "real" system level admin if you login as administrator. It reserves the highest privilege level for itself. This could be useful for disabling services, updating system files and so on, that Vista won't let you do normally.
Re:Long weekend... by Tubal-Cain · 2008-05-25 18:18 · Score: 4, Funny

[badpun]Why not just call it a NIC like everyone else?[/badpun]
Re:What idiots modded this up? by Phroggy · 2008-05-25 18:24 · Score: 4, Informative

If you already have root access, passwd does not prompt you for the old password. His method is sound.

--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Re:Multi-step process by gazbo · 2008-05-25 20:31 · Score: 5, Insightful

No. In order to rename the file remotely you already need root. And even ignoring that, you would still need physical access to use the newly exploited shell.
Your comment is akin to saying "Ah, but what if someone finds a way to remotely append init=/bin/bash to Grub?" There's no weakness in Linux there, as you'd need to have root on the box in order to do such a thing, and then after the shutdown -r you'd be fucked anyway as it sat at a shell 1000 miles away waiting for someone to type into the console.
I disagree by Mostly+a+lurker · 2008-05-25 20:33 · Score: 5, Interesting

Consider: someone arrives from 10 years in the future in a time machine. OK, at the time he arrives this is news. However, at the point the individual leaves to go back in time, we have already known about this for 10 years. He may even be reusing the same time machine, if it was never used in the intervening period. How is a 10 year old story news (I am ignoring /. for the purpose of this argument)?
Re:Long weekend... by WI2822 · 2008-05-25 21:56 · Score: 5, Funny

maybe you should shop for a MAC over the weekend Do you know of any good MAC addresses?
hooks should be in service or drivers by DrYak · 2008-05-25 22:06 · Score: 5, Interesting

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.
My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges. Yeah. But microsoft's own good practice recommendation is that this kind of hooks need to be placed in a driver or a service (it self installed with the necessary privileges). And that the program that needs the access stay with low privileges and only access what it needs through the API exposed by the privileged service/driver.

That's how all hardware monitoring and similar tools do, to avoid triggering false alarams in UAC.

It's just strange how Windows can't even follow their own recommendations.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Nothing new? by Peer · 2008-05-26 02:10 · Score: 4, Interesting

Looks alot like this:

http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-backdoor/

Only thing new is using Linux to rename the file.
Meh, not so impressive by BLKMGK · 2008-05-26 02:26 · Score: 4, Informative

See the problem with that is that you had to use someone else's program to do this - it wasn't just something you could do. Someone had to reverse how the SAM was storing passwords blah blah. Plus now you have hosed up your "friends" password and he will know you have been playing on his machine when he gets back. See, that's not really kewl....

What you should have done that would have been more impressive would be to boot off a Linux CD and rename the SAM file. Then when the machine was booted again the Administrator password would have been BLANK. You could then have retrieved whatever information you wanted from your "friends" computer, renamed the SAM back to it's correct name, and when he returned his password would have been the same. This would have been much nicer for your "friend" and far more impressive since you would not have had to rely on someone reversing the password storage format of the SAM file - which BTW has changed a few times. Microsoft even started using SALT, the nerve!

Anyway, the rename method would have worked out of the box without any "boring" reverse work on someone else's part and would take advantage of a stupid oversight on Microsoft's work - just like this hack does. FWIW, I LIKE Vista and know that in general it's more secure than XP. That Microsoft was so STUPID as to allow something like this to work doesn't surprise me but it does dissapoint me. Hopefully they don't fix it before I've had a chance to show a "friend" how it works :-P

--
Build it, Drive it, Improve it! Hybridz.org
Re:Long weekend... by menace3society · 2008-05-26 04:45 · Score: 4, Funny

c0:ld:de:ad:be:ef:15:f0:0d
Re:Long weekend... by CanisMajor · 2008-05-26 07:02 · Score: 4, Funny

That's amazing. I've got the same combination on my luggage!