Jump to content

Exploit allows any application to run on top of Windows 7 login screen


visualbuffs

Recommended Posts

visualbuffs

Posted Image




The exploit has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. A article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;


REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

After that, the user can return to the workstation at a later time and press the SHIFT key five times (which normally invokes sticky keys) and an elevated command prompt is launched. From there, you can launch any process -- even Explorer -- and do anything you like as you would if you were logged on.
The exploit is currently unpatched, and appears to work in both Windows 7 and Windows Server 2008 R2. Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. One in place, the hack is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.

Posted Image

It may seem like a trivial hack, but it has wide security implications if left unpatched. A malicious user could implement this on a workstation in the enterprise if they are disgruntled, and could come back later and copy files or destroy data from the login screen, despite their account being deactivated. It's worth noting, that if the user has disabled the Sticky Keys shortcut on their workstation previously, the hack will not work.
A previous exploit existed where Utility Manager could be replaced using a Live CD, but this exploit only requires 10 seconds in front of the machine and it is in place. Microsoft is yet to comment on the exploit, but we'll be reaching out to see if they're planning on patching this soon.


Update: This same hack works on Windows 8 Consumer Preview at time of writing.



Source
Link to comment
Share on other sites


  • Replies 4
  • Views 2.3k
  • Created
  • Last Reply

after reading this..i just noticed the sethc.exe can't be terminated under normal circumstances on my PC.

i wonder if its only me.

Link to comment
Share on other sites


that`s not an exploit.

you can always replace/modify system files on disk, usinga liveCD or something.

Link to comment
Share on other sites


drizztfire

that`s not an exploit.

you can always replace/modify system files on disk, usinga liveCD or something.

That's true, but with this technique it will only take 20-30 seconds to make real damages.

Link to comment
Share on other sites


this can however be useful for the user of the PC. like running your favorite torrent program on top so you can still download while logged out.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...