Windows 7 and Windows 8 and 8.1 - Privilege Elevation
Sticky Keys. That accessibility feature that has been part of Windows since way back in Windows 95. Who'd have thought that it would facilitate a privilege elevation vulnerability in a modern OS so easy to exploit that no tools or downloads are required - just an operating system CD.This flaw has been well discussed on different websites, so I've no problem going into the detail of it here. I didn't believe that it could be possible when I first read about it, but it is really shocking that it is possible to use sticky keys to gain local administrative rights on a Windows system. I've seen it work from from Windows 7 through to Windows 8.1, so it's a problem that Microsoft clearly are not addressing.
Warning!
If you use this method to reset the password of an account, you will lose access to any EFS encrypted file areas. Passwords there stored in IE for that user will also be lost.
This method possibly / probably won't work if there's a full disk encryption product installed on the system.
Boot the PC off a Windows installation disk and when presented with the language settings screen, use Shift + F10 to get a command prompt.
Copy cmd.exe over sethc.exe (stickey keys executable), reboot and when you reach the logon screen, use the sticky keys shortcut to activate sethc.exe - which is now cmd.exe.
Now, the world - or that PC at least - is your oyster. Run GUI programs, copy files - you can do whatever you'd like.
You can also use the command prompt to load up GUI tools - e.g. MMC to gain access to Local Users and Groups, Event Viewer and more. Files can also be copied on and off the system.
This method possibly / probably won't work if there's a full disk encryption product installed on the system.
Short Version
It seems that sticky keys runs in an administrator context when it is launched from the Windows logon screen, straight after boot up.Boot the PC off a Windows installation disk and when presented with the language settings screen, use Shift + F10 to get a command prompt.
Copy cmd.exe over sethc.exe (stickey keys executable), reboot and when you reach the logon screen, use the sticky keys shortcut to activate sethc.exe - which is now cmd.exe.
Now, the world - or that PC at least - is your oyster. Run GUI programs, copy files - you can do whatever you'd like.
Long Version
If you want to change the password of a local account on a Windows
computer, these steps tell you how.
1. Insert the Windows 7 or Windows 8 (or 8.1)
DVD into the computer and start it up. Choose to boot from it when prompted.
2. When you get to the Setup welcome screen
and are prompted to choose your language, press Shift and F10. This will give
you a command prompt.
3. Identify which drive is your system drive.
It will probably be C: or D:. You will be able to tell by the contents of the
Users folder on the correct drive.
4. Backup the sticky keys executable by
running these commands on the correct drive.
·
cd
\windows\system32
·
copy
sethc.exe sethc-backup.exe
5. Replace the sticky keys executable with
the command prompt executable
·
copy
cmd.exe sethc.exe
6. Now, type exit, quit setup and let the
computer boot up normally
7. When you reach the login screen, press the
shift key on your keyboard 5 times and a command prompt should appear. This
command prompt is running in an administrative context so you can run commands
to, for example, reset an administrator account
·
net
user administrator NewPassword123
Or
·
net
user administrator /active:yes
This is a very serious security flaw in Windows. Being able to call up unauthenticated administrative access on a machine that you have physical access to is as bad as it gets and may present many organisations with significant concerns. The fact that it is facilitated by the operating system's own installation media leaves me speechless on the topic.
I'll follow up with another blog post soon with some advice on what can be done to mitigate against this vulnerability.
No comments:
Post a Comment