redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| Security vendors are getting desperate
»www.pcworld.com/article/id,12978···cle.html
I saw this on the front page, I wanted to share it here.
A Windows feature designed to simplify computing for disabled users could be misused in Vista, a McAfee Inc. researcher reported Monday.
Attackers could use this feature, called StickyKeys, to trick a user into launching unauthorized software on the Vista machine, according to Vinoo Thomas, a McAfee researcher who blogged about the issue on Monday.
...
An attacker could replace the sethc.exe file used to launch StickyKeys with some other executable, like the Windows command utility, Thomas wrote.
This backdoor vulnerability was already known to exist in Windows 2000 and Windows XP, according to Thomas. Basically it is a backdoor that requires physical access to "enable". You could use another flaw to replace the file, but if you already have access via that flaw, then what is the point?
Thoughts? |
|
ItGetsWorse
@inet.fi | What kind of a motherless "backdoor" is that? Assuming the user isn't admin, it may be a little difficult to just replace the file, seeing how the user would lack write access to it.
Yes, sounds pretty desperate to me. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to redxii
Why is this news if the vulnerability has existed since Windows 2000?> |
|
garys_2k
join:2004-05-07
Farmington, MI | reply to redxii
And if an attacker replaced sol.exe with malware, then trying to play solitaire would result in the malware being run.
This is news? |
|
Alphalutra1
join:2005-10-06
127.0.0.1
clubs:
| I have done this on other computers for a while 
Pretty cool to see what you can do while not logged in (like starting up explorer and seeing your username as system is pretty cool)
Cheers,
Alphalutra1 |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to garys_2k
said by garys_2k  :And if an attacker replaced sol.exe with malware, then trying to play solitaire would result in the malware being run. While I agree with the general sarcasm of the response, sticky keys is somewhat different to Solitaire. The difference is that there's no way to run Solitaire prior to login, whereas Sticky Keys can be triggered before login (the need to do so should be obvious).
Furthermore, the program thus launched would be running on the winlogon.exe desktop, probably (I am not sure) as local system, way more priv'd that mere administrator.
Even so, it does seem a stretch. The attacker needs to have access to replace the sticky-keys program. And suppose the user is tricked into replacing it with cmd.exe - so what? Wouldn't it be better to replace it with MyVeryBadProgram.exe?
--
Microsoft Security MVP, 2005-2007. |
|
m0d
join:2005-03-02
ireland
| reply to redxii
One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today.
Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.
"local exploit" only. "Disgruntled employees" smacks of desperation alright. |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to redxii
Mr. Thomas neglected to tell me how his company's product was going to protect me from this.
An oversight on his part? He did tell me this, though:
--------
". . To avoid the problem, "one can uninstall the Accessibility Tools feature, which is installed by default, to avoid this fairly simple, yet potentially serious built-in backdoor," he wrote."
--------
Okay, done. The second day of the XP install, as I recall.
--------
"And don't forget to hit the shift key five times and see what pops up on your desktop."
--------
I tried it; I couldn't believe it-- It pops up "McAfee Blows Chunks". |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| reply to dave
said by dave :And suppose the user is tricked into replacing it with cmd.exe - so what? Wouldn't it be better to replace it with MyVeryBadProgram.exe? Since as administrator privileges are required (unless the default filesystem ACLs haven't been changed) to replace sethc.exe, I really don't see the point. There are other ways to log on as LOCALSYSTEM without replacing sethc.exe if you have admin rights.
--
Hate your enemies. Save your friends. Find your place. Speak the truth. |
|
nunsuperior
join:2004-04-07
Northridge, CA
| reply to redxii
It works, it's easy to test. On a XP machine click Start \ Log Out \ Switch User. That brings up the log in screen. Hit Shift 5 times. The Sticky Keys menu comes up.
While this file replacement technique is pretty useless for a haxxor or as a malicious attack, it is useful/bad for people who want to override their log in. For example, if the IT department at your work locks out your account, but you've already replaced the Sticky Keys executable with some tool you can still activate it. Interesting. Might be useful as a test tool as well. |
|
m0d
join:2005-03-02
ireland | OK but all that is "local" .. Is it "remotely exploitable"?
By that I dont mean that you use another remote exploit and then use this. After an initial remote exploit you can probably do anything you like. |
|
youveshutmedown
@sbcglobal.net
| If I can gain remote access to your machine to overwrite/replace an executable such as sol.exe or sethc.exe....what's the point in doing so? I've already got all the access I need to plant/replace/trojan whatever I want. Why hinge it all on whether or not the user will play solitare, or uses the sticky key function. Might as well replace calc.exe with something nasty.
This is def. a desperate attempt at stirring up FUD. |
|
roamer_1
join:2004-11-21
Kalispell, MT
| reply to redxii
One of the original ways to compromise WINNT was to replace the screensaver with a copy of CMD... Sooner or later, as the machine sat at the login, the screensaver was called and up comes a CMDBox with system priviledges.
This seems to be much the same thing.
-Bruce |
|
