Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gaining System-Level Access To Vista

kdawson posted more than 6 years ago | from the seems-too-simple-somehow dept.

Security 412

An anonymous reader writes "This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

cancel ×

412 comments

Sorry! There are no comments related to the filter you selected.

Cancel.... (5, Funny)

FriendSite.com (1208220) | more than 6 years ago | (#23541001)

Allow full root access

Cancel or Allow...

-1 Unfunny (0)

Anonymous Coward | more than 6 years ago | (#23541079)

n/t

-1 Humorless Shill (0)

Anonymous Coward | more than 6 years ago | (#23541327)

n/t
n/t

Long weekend... (3, Interesting)

cayenne8 (626475) | more than 6 years ago | (#23541005)

Hmm...something new and fun to play with over this long holiday weekend.

:-)

Re:Long weekend... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23541351)

maybe you should shop for a MAC over the weekend

Re:Long weekend... (4, Informative)

Anonymous Coward | more than 6 years ago | (#23541453)

maybe you should shop for a MAC over the weekend
Why do people insist on putting Mac in all caps? Like it's some sort of acronym or something? Unless you were suggesting shopping for Media Access Control, in which case I apologize.

Mid-Air Correction? (1)

Mathinker (909784) | more than 6 years ago | (#23541493)

It might have been a suggestion that the poster play a lot of Ultimate over the weekend so he/she would have a better chance at doing a fancy Mid-Air Correction on the disc?

physical access == game over (5, Insightful)

bersl2 (689221) | more than 6 years ago | (#23541011)

How is this news?

Re:physical access == game over (5, Insightful)

zonky (1153039) | more than 6 years ago | (#23541039)

Does it bypass the bitlocker/full drive encyption options in vista? Physical access is not always game over....

Re:physical access == game over (5, Informative)

hcmtnbiker (925661) | more than 6 years ago | (#23541099)

It wont bypass bitlocker if you have to put in a password as soon as you boot, but it might if you have it set up the other way.

Physical access does always mean game over, bruting(most people keep thier FDE passwords around 4 characters) and the possibility of plain text attacks exist on certain blocks.

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be. I had wondered this and thought about doing the same hack before ever even seeing this video, however didn't ever bother to do it, the possibility of messing something up and having to revert it after just seemed too annoying to me.

Re:physical access == game over (1)

Tychon (771855) | more than 6 years ago | (#23541273)

Really? Only four characters? I find that kind of surprising. I guess I'm just a freak. Granted, my systems are usually up for lengthy enough periods of time that a fifty-plus character password isn't too irritating.

Re:physical access == game over (5, Insightful)

weicco (645927) | more than 6 years ago | (#23541497)

The interesting thing is that the utility for helping impaired people is run as SYSTEM when it really doesn't have to be.

My hunch would be that the utility has to insert some system level hooks into Windows in order to read text from every widget (window, control, or whatever you call them) in the system. This is why it needs elevated privileges.

But the whole article is stupid. I "hacked" into my coworker's Win2000 installation almost decade ago. He was on holiday and we needed something from his PC. I downloaded nice little program from the internet, copied it to disk, booted it and changed admin password. Then we just log on to his system using the new password. Wow! Maybe I should post an article to Slashdot about this!

Re:physical access == game over (1)

Repton (60818) | more than 6 years ago | (#23541153)

I dunno --- I'm still waiting for someone who actually watched the video to post in this thread :-)

I guess the question is: can the SYSTEM account access encrypted volumes? In XP, if you encrypted your home directory, the Administrator user could read your files (by default; you could change that).

Re:physical access == game over (2, Interesting)

jkrise (535370) | more than 6 years ago | (#23541105)

How is physical access == game over? What about BitLocker encryption? Can a Linux distro decrpt BitLocker?

Also interesting to note this hack works only with Vista but not XP or earlier versions of Windows. Why would Microsoft go out of its way to make a system less secure?

Re:physical access == game over (0)

gehrehmee (16338) | more than 6 years ago | (#23541155)

At some point, it's gotta get decrypted, with some kind of key. The contents will have to be in memory at some point. Hell, the key's gonna be in memory. If you've got total kernel-level access to the system, you can do whatever you want with memory, including just reading these things right out from under the app's that use them. Now I don't know alot about vista, or this trick, so I couldn't say if it gives you that level of access, although it sounds like it.

Re:physical access == game over (2, Interesting)

jkrise (535370) | more than 6 years ago | (#23541183)

The exploit involves rewriting cmd.exe with Utilman.exe by booting the system into Linux. How can the Linux ntfs utility gain access to the Vista partition if it was encrypted... remember we haven't booted Vista yet?

Secondly, which moron in Microsoft would allow 'root' level programs to run 'before' the user has logged in as root? Pretty dumb, it seems to me. Maybe they did it on purpose?

Thirdly, why not validate the cmd.exe before actually allowing it to run as root? This appears to have been done in XP / 2000 etc. so why not in Vista?

The exploit seems to be just the tip of an iceberg.

Re:physical access == game over (5, Informative)

sandmtyh (560543) | more than 6 years ago | (#23541201)

it works in xp and 2000... you just have to do the same trick with diffrent file names.

Re:physical access == game over (5, Informative)

Hunter-Killer (144296) | more than 6 years ago | (#23541301)

Parent is correct; been doing this in XP for years with C:\windows\system32\sethc.exe (StickyKeys).

The article wouldn't have been newsworthy if it had merely said "Vista just as vulnerable, nothing new." Especially since the old tricks are often the first things tried with the new OS.

Re:physical access == game over (0)

Anonymous Coward | more than 6 years ago | (#23541303)

How can the Linux ntfs utility gain access to the Vista partition if it was encrypted... remember we haven't booted Vista yet?

By dropping a keylogger and getting your password the next time you type it.

Re:physical access == game over (1)

Fumus (1258966) | more than 6 years ago | (#23541465)

How can the Linux ntfs utility gain access to the Vista partition if it was encrypted... remember we haven't booted Vista yet?

I haven't tried encrypting the ntfs, but I just love how windows handles file ownership in ntfs.
When reinstalling windows I found out that I couldn't access my old documents, so I did a quick google search and you just disable simple file sharing in folder options, then right click the folder, go to a tab named "security" and give yourself ownership of the folder. The funniest part is windows saying "By doing this, you will have full unrestricted access to this folder, are you sure you want to?"

Re:physical access == game over (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23541487)

This is really getting old. Physical access to unencrypted file system equals game over unconditionally and is not a reflection of the strength of the OS.

Physical access to encrypted file systems with bitlocker means your going to have to be a lot more creative. TPM provides a trust relationship at the BIOS level so cheap crap like replacing the hard drive and waiting for the user to login is not going to work. You will need to first hide a small camera next to the keyboard or tap the keyboard or use tempest to collect the users password.

Re:physical access == game over (1)

Blakey Rat (99501) | more than 6 years ago | (#23541243)

Also interesting to note this hack works only with Vista but not XP or earlier versions of Windows. Why would Microsoft go out of its way to make a system less secure?

What makes you think Microsoft went "out of its way" to make this work? What makes you think it was simply an oversight, or a missing test-case? (Or maybe they never even thought of it and it was dumb luck it didn't work in previous versions. Who knows?)

Re:physical access == game over (5, Interesting)

_xeno_ (155264) | more than 6 years ago | (#23541293)

No kidding. I once "hacked" into a Linux machine that had an unknown root password by booting off a live CD, sudo bashing to become root, and then it's just mount, chroot and passwd to reset the root password. (I could have also manually edited /etc/shadow but this was easier.)

Linux is horribly insecure! I was able to reset the root password with just a live CD and complete access to the machine!

Now of course if the hard drive had been encrypted, this "attack" wouldn't have worked. (Although in this case at least, a different attack would have worked: reinstalling the OS. Resetting the root password was faster. The data on the machine wasn't important. We just needed a working Linux installation with a known root password.)

Multi-step process (3, Interesting)

lullabud (679893) | more than 6 years ago | (#23541421)

You're not very good at puzzles, are you? First you get one piece, here it is the ability rename an executable to execute a privilege escalation. The next piece is for anybody to find... a way to remotely rename an executable while it is being used, or during reboot, or something else more clever than one minute of my thinking during this reply.

Your questioning follows the "who cares if water expands when it freezes?" line of thinking. You're missing the second part, the idea that you have to pour it into something before it freezes in order to break that something without effort.

Re:physical access == game over (0)

Anonymous Coward | more than 6 years ago | (#23541475)

In corporate environments, it is quite common to have physical access to computers, but not administrative privileges. Changing or resetting the administrator's password will be easily detected; this trick, however, will not.

Re:physical access == game over (1)

Zemran (3101) | more than 6 years ago | (#23541499)

Should I install Windows Vista so that I can try this out? Naaaah, cannot be bothered. Pretty video, nice 2 mins, time to get on with life.

Seems like a lot of trouble (1)

Kligat (1244968) | more than 6 years ago | (#23541015)

just to go through all that research just to find a way to switch all Windows Vista cursors with the "busy" rotating wheel to confuse their users, come April Fool's Day.

Is this how it was planned? (5, Funny)

websters (854886) | more than 6 years ago | (#23541021)

A conversation amongst the developers: Dev 1: "You see - we can just rename the exe and then get the job done!" Dev 2: "Is there a risk?" Dev 1: "How? Users without sight or with limited vision will have a hard time getting to cmd.exe to rename it - dumbass!"

Re:Is this how it was planned? (3, Informative)

Anonymous Coward | more than 6 years ago | (#23541137)

You cannot do this from the within the OS because Utilmon is owned by local system. What this attack does is use one OS to modify a second OS while the second OS is offline. Similarly, I can build my own linux kernel to not authenticate users and replace the linux kernel on your box with this method. Attacks of this nature are simple if the filesystem is unencrypted and probably still unavoidable on encrypted filesystems if the attacker has complete access to the physical machine.

Re:Is this how it was planned? (2, Insightful)

pallmall1 (882819) | more than 6 years ago | (#23541215)

Similarly, I can build my own linux kernel to not authenticate users and replace the linux kernel on your box with this method.
Replacing the kernel is a little different than just changing one filename.

Re:Is this how it was planned? (5, Insightful)

totally bogus dude (1040246) | more than 6 years ago | (#23541451)

Not really, the kernel is just a file or two. If you insist, then rename init to something else (e.g. a shell) and you'll get a similar effect on Linux. Or modify the inittab to run a logged-in root shell on one of the vty's. If you really think this is some special OMG VISTA IS SO INSECURE COMPARED TO EVERYTHING ELSE flaw, then you don't understand the "problem" at all.

However I have to wonder: once you have access to the filesystem, why exactly would you bother booting into Vista and getting yourself a privileged cmd.exe? Why not just access whatever data you want from the other OS? Or does "unencrypted hard drives can be read and modified using other computers" not make a good enough headline?

This whole thing is so completely and utterly pointless it's probably created a black hole.

Re:Is this how it was planned? (3, Insightful)

inode_buddha (576844) | more than 6 years ago | (#23541359)

This is true and correct. As long as one can spin up a disk and read it, then it's game over. A bootable distro on a CD will easily do the job. You don't even need to build or replace the kernel to do it, since init and login are user-level as far as the kernel is concerned. You might need a few special drivers for volume mounting, reading, and decryption tho. Some really bare-bones disks come to mind as potentially useful, such as very early slackware (3.x) or Linux From Scratch/Busybox, all of which fit on a floppy or two. Recall that most boxes will seek the first possible bootable media.

Old News (0)

Anonymous Coward | more than 6 years ago | (#23541025)

This same trick has been used (years ago) on previous versions of Windows. It's nothing new

Re:Old News (1)

deniable (76198) | more than 6 years ago | (#23541343)

I think the logon screen saver was the tool of choice before. They've obviously fixed *that* problem.

Physical Security (4, Insightful)

hardburn (141468) | more than 6 years ago | (#23541033)

This demonstrates that it's almost impossible to secure a machine when an attacker has unrestricted physical access. Any OS is vulnerable somehow. There are a few things that can be done (like encrypting the entire system partition), but mostly solutions are limited to restricting who has physical access.

Re:Physical Security (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23541129)

Which explains why Windows 95, 98, NT, 2000, ME, XP, and 2003 are all not vulnerable to this attack.

No, this is just yet another demonstration that Vista is, if anything, less secure than XP was and that the User Annoyance Crap didn't actually solve a damned thing. Which everyone should have realized by now.

Re:Physical Security (1)

Kevinb (138146) | more than 6 years ago | (#23541185)

"Attack"? This was carried out from a root prompt. You already have unrestricted access to the drive. Why even bother renaming exe's?

Re:Physical Security (3, Informative)

ozmanjusri (601766) | more than 6 years ago | (#23541353)

So you can install a rootkit/keylogger and get back in when the OS is running.

Re:Physical Security (1)

Jeff DeMaagd (2015) | more than 6 years ago | (#23541195)

Which explains why Windows 95, 98, NT, 2000, ME, XP, and 2003 are all not vulnerable to this attack.

But they too are vulnerable to other kinds of attack by someone that has physical access to the machine. While the attack would be different for non-Vista Windows machines, I think those are about as easy.

Re:Physical Security (1)

davolfman (1245316) | more than 6 years ago | (#23541309)

What I find most interesting though is the fact that this is a "Physical Access" attack that can be completed quickly and relatively innocuously. No need to open the case or even add a thumb drive. Just a CD and a reboot, a few minutes in bash, and another reboot. It's almost an entire new family of attack, using modification of the filesystem to tweak the security through an external OS.

To be honest it sounds like I could accomplish the same thing with a BartPE disc, or even just an NTFS-driver tweaked DOS-boot floppy.

WTF? (-1, Flamebait)

revengebomber (1080189) | more than 6 years ago | (#23541045)

While this does require physical access, running something as root before login is still incredibly stupid.

Re:WTF? (1)

pravuil (975319) | more than 6 years ago | (#23541149)

Yep, there's the main problem right there. While everyone tries to pass this off, having access to a root account like this is pretty scary. Considering bitlocker is a feature for the business end of windows vista, most of the other versions are pretty much vulnerable. Hopefully they get this fixed soon.

Re:WTF? (5, Insightful)

fabs64 (657132) | more than 6 years ago | (#23541191)

You mean like init? gdm? Xorg? sshd?

Wow, if I boot a *nix machine with a rescue disk (assuming /sbin isn't encrypted) I can replace all sorts of apps that run as root with my own!

danger will robinson.

Seriously, as many problems as I have with Microsoft's past security practices, this does not look like anything.

Re:WTF? (5, Insightful)

icebike (68054) | more than 6 years ago | (#23541205)

> While this does require physical access, running
> something as root before login is still incredibly
> stupid.

Every Unix/Linux system runs "something as root" before login. You should look at "top" some time and see what pid number 1 is and who ran it.

PANIC (5, Insightful)

Profane MuthaFucka (574406) | more than 6 years ago | (#23541051)

The BIOS lets you run anything! Even a whole new operating system! Unrestricted access OMG!

Re:PANIC (5, Funny)

jhdevos (56359) | more than 6 years ago | (#23541277)

Right... They should think of some system where the BIOS will only load code that was digitally signed somehow, so these atrocities are no longer possible. Personally, I will only feel safe when I know that Microsoft completely controls what goed on on my PC!

Remotely Authorized OS (1)

lullabud (679893) | more than 6 years ago | (#23541473)

The bios won't let you boot up a Domain Controller with root access that has valid certificates to connect to an entire security infrastructure.

The bios won't let you boot up any workstation in a Windows Domain, change the local administrator password, then use that escalation to access trusted resources.

Sure, local access is weak security, and you can often boot up whatever software you want with local access, but that's the equivalent of dismembering a body or stealing a car. This is the equivalent of cat burglary, and while you're inside you can do whatever you want, take whatever you want, install whatever you want. There is a difference, and this tactic is more subtle.

ethics? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23541057)

Well done for explaining in enough detail a very dangerous exploit for vista to a very popular site. This exploit could cause millions in damage before it's patched, does slashdot have no ethics?

Re:ethics? (0, Redundant)

teh moges (875080) | more than 6 years ago | (#23541235)

Its a well known fact that Microsoft will not fix many security holes it finds until they have been made public. I'd much rather have them forced into releasing the patch soon, as opposed to a few black hat researchers knowing and exploiting this for many years until someone else publically posts the information.

Re:ethics? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23541239)

  • Full disclosure [wikipedia.org] would be unethical if limited disclosure actually worked. But it doesn't, as vendors of defective software have demonstrated time and again through weeks if not months of inaction and harassment of researchers.
  • As almost every commenter has pointed out, this is just one more in a well-known family of defects which practically require booting a different operating system to exploit.

If you can write the raw disk... (5, Insightful)

Animats (122034) | more than 6 years ago | (#23541059)

Really. If you have enough access to the machine to boot your own OS and rewrite the disk, of course you can take over the machine.

Now if someone manages to do this from the outside, that's news.

Re:If you can write the raw disk... (1)

ccoder (468480) | more than 6 years ago | (#23541073)

ssh! don't tell m$ that..

seriously, they've already locked down some BIOS configurations, although I can't recall any examples (so I could be wrong).

This does seem like a logical progression, if they can get code added to some BIOS chips...

changing these TYPES of programs is vulnerable (1, Interesting)

ccoder (468480) | more than 6 years ago | (#23541061)

... IN ALL WINDOWS VERSIONS!

I've done this in 3.1/95 with the SHELL= variable, in 98 replacing explorer.exe, etc, and in 2000/xp by replacing the accessibility tools. (I forget the name, but try pressing shift 5 times before you login with windows XP - or after and use task manager to see what comes up)..

Writing this from linux or i'd check :)

very nasty in computer labs :)

Slow weekend? (0)

Anonymous Coward | more than 6 years ago | (#23541063)

A "security hole" that requires physical access to the computer and most likely requires root access (since you need to rename some system files)?

Wow, I'm impressed. Who is the genius that discovered this?

Re:Slow weekend? (1)

ResidntGeek (772730) | more than 6 years ago | (#23541093)

A genius who'd be better able than you to gain access to a locked computer.

Umm NT Screensaver? (0)

Anonymous Coward | more than 6 years ago | (#23541067)

Didn't NT have a similar issue with the screensaver?

Re:Umm NT Screensaver? (1)

sandmtyh (560543) | more than 6 years ago | (#23541141)

yes.... rename explorer.exe to default.scr wait for screen saver to kick in... system level access.

Oh... (4, Informative)

kasparov (105041) | more than 6 years ago | (#23541081)

So having physical access to a machine can allow you to get system-level access? Weird. Here's a hint...boot into Linux. At the grub prompt, select edit and add "single" to the line of kernel options. Short of a completely encrypted drive, you are pretty much SOL if someone has physical access to your machine. Sorry.

Re:Oh... (0)

RiotingPacifist (1228016) | more than 6 years ago | (#23541127)

your point is valid, but for laptops you can always lock bios & grub, ofc that would also protect you from this attack.

Re:Oh... (3, Informative)

chatgris (735079) | more than 6 years ago | (#23541167)

No it wouldn't. You take the hard drive out of the laptop, either put it in another laptop or buy a $15 adapter that lets you plug it into an IDE slot on a computer. Change the files, put the disk back in the laptop.

There isn't anything magical or hidden about a laptop hard drive.

Re:Oh... (1)

rabbit994 (686936) | more than 6 years ago | (#23541455)

There is also USB adapter that does the same thing. We use them at work to recovered busted Laptops HDs. Heck most the time instead of doing this trick, we just Windows look into equivlent of /etc/shadow then run password through online LM Hash Database when clients forget to leave us their passwords.

Oddly enough... (2, Interesting)

frank_adrian314159 (469671) | more than 6 years ago | (#23541085)

... there seem to be a few of these "name related" hacks in Vista. Files with the string "setup" in their name are recognized as potential installers and are handled differently by the OS. We were able to work around an installation issue in Vista by renaming the installation .exe file something else. One look at this and I said to myself "WTF? Is this any way to secure an OS?"

Re:Oddly enough... (1)

Iamthecheese (1264298) | more than 6 years ago | (#23541147)

Yes, yes it is. If physical level access is available, the only real security is having an encrypted drive with the passphrase elsewhere.

Re:Oddly enough... (1)

Myen (734499) | more than 6 years ago | (#23541271)

Umm, that just means they end up not running elevated. It's not like they magically gained privileges without the UAC prompt.

They have a crappy algorithm for guessing what files need the UAC prompt, because there's no other information; they can't tell if a setup app needs the privileges, and they went in favour of backward compatibility. What I do hate is the lack of "don't elevate" option, though...

Re:Oddly enough... (1)

Skuld-Chan (302449) | more than 6 years ago | (#23541471)

Vista uses heuristics to determine if the exe is an installer for non vista aware installers to *prompt* for elevation. If your too dumb to ignore Windows warning that you shouldn't allow elevation unless you trust this application how is this microsoft's fault?

Also its not all that different than doing sudo or the Mac elevation prompt.

Undocumented *NIX Inter-operability Feature (0)

Anonymous Coward | more than 6 years ago | (#23541101)

With the NTFS-3g Linux driver, a minimal Linux distro could be cobbled together to simply launch a script to accomplish the hack without having to learn complicated *NIX stuff.

Since you need physical access for this hack, no one in their right mind would ever touch someone else's computer and Vista is the most secure operation system ever offered by Microsoft, this is obviously just an undocumented "interoperability" feature ...

DUH..... this works in 2000 and xp as well (5, Informative)

sandmtyh (560543) | more than 6 years ago | (#23541121)

boot NTFS live linux CD rename magnify.exe magnify.bak. copy cmd.exe to magnify.exe. boot to login screen and press windowskey+U and choose magnify the screen. system level access to anything. Also if you are an admin in windows xp, just run "at 12:05 /interactive cmd.exe" at 12:05 there will be a cmd promt that pops open (BTW you can use any time, then adjust the system clock) the cmd prompt that pops open will have system level access. use taskmgr to kill explorer.exe then lauch explorer from the cmd prompt..... you are now system. I have been using this for years... i was told that MS was going to sign all the EXE files to stop this attack, but guess what..... cmd.exe will still be signed. people who are surprised by this.... you might also like to know how to get remote desktop running on XP home http://www.geekport.com/2007/08/15/enabling-remote-desktop-in-xp-home/ [geekport.com]

Re:DUH..... this works in 2000 and xp as well (0)

Anonymous Coward | more than 6 years ago | (#23541369)

And also works in ANY Linux distro.
The only difference is that the users running MS OSes still date, have a life, play videogames, meanwhile Linux Losers are mom's-basement dwellers, and cannot play any videogame on their computers besides pathetic loser tetris...

Re:DUH..... this works in 2000 and xp as well (1)

nmb3000 (741169) | more than 6 years ago | (#23541433)

Also if you are an admin in windows xp...

If your account has administrator rights then everything you just listed is a waste of time. Administrator == God. End of story. What you're talking about is like hot-wiring a car when you're holding the keys.

This is like those "hacking XP!!!" videos on YouTube. " NET USER administrator * " OMG I hacked the admin!!!1~

Umm (2, Informative)

yoyhed (651244) | more than 6 years ago | (#23541151)

This has been well-known for a LONG time - you can rename cmd.exe to Magnify.exe and then run it from the Accessibility options at the login screen. Then you can do whatever you could normally do with a command prompt process run by System - like for example, run "control Userpasswords2" and change/reset anyone's password.

Not really limited to Vista (0)

Anonymous Coward | more than 6 years ago | (#23541157)

IIRC there were various methods of bypassing login on Windows XP by renaming ntlogin.scr to something else, then renaming cmd.exe to ntlogin.scr. Not exactly the same hack and it has different consequences.

This is news? (4, Informative)

atari2600 (545988) | more than 6 years ago | (#23541161)

A few readers have already posted the utter obviousness of the lack of security when someone has physical access to a machine. Linux machine root passwords can be reset, any Windows machine's Administrator password can be blanked if there is physical access.

Linux distro named BackTrack? Who is this kdawson and how is he such a fucking idiot? All the "elite haxors" in the video are doing are mounting the Windows filesystem in offline mode and doing two simple file operations. Again, how is this news and why is slashdot consistently posting more crap these days? Slashdot: morons for editors, shit that doesn't matter (anymore).

Re:This is news? (2, Informative)

sandmtyh (560543) | more than 6 years ago | (#23541173)

the best part about this is you don't even need linux to do it... all you need is a windows CD, and access to the recovery console.... if the recovery console restricts you just rename the hive files so that next time you reboot it won't find the registry entries that restrict you.

Re:This is news? (1)

atari2600 (545988) | more than 6 years ago | (#23541213)

Indeed. Since the OS in question is Vista, they just need a boot disk that allows them to mount NTFS partitions in RW mode.

Re:This is news? (1)

initialE (758110) | more than 6 years ago | (#23541259)

Looks like the next service pack of Vista will ship with Bitlocker turned on by default

Re:This is news? (1)

GigaplexNZ (1233886) | more than 6 years ago | (#23541431)

Looks like the next service pack of Vista will ship with Bitlocker turned on by default
That would only cause a whole bunch of support issues and leave the home versions unprotected since BitLocker is only supported in the business editions and Ultimate.

Re:This is news? (1)

Z80xxc! (1111479) | more than 6 years ago | (#23541307)

Have you actually used the recovery console? It requires THE administrator password to open it, and you can only log on with that account, not just any admin account. Additionally, if the admin account has been renamed (always a good idea btw) then it's impossible to get in to the recovery console.

Re:This is news? (1)

thatskinnyguy (1129515) | more than 6 years ago | (#23541217)

Who is this kdawson and how is he such a fucking idiot?
Hi. You must be new here.

Re:This is news? (0)

Anonymous Coward | more than 6 years ago | (#23541481)

It is part of the agenda to push Linux.

It is pretty sad when all they do around here is basically criticize the U.S., give NASA crap and kiss the EU's ass, daily FUD about MS and the daily copyright/RIAA.

The clones are getting old around here

uh huh (1)

dodgedodge (166122) | more than 6 years ago | (#23541181)

It was a copy, not a rename.

Not to let basic facts get in your way.

Limited Usefulness (1)

dctoastman (995251) | more than 6 years ago | (#23541209)

This is only useful if you have physical access to the machine and can remove the case (in case of BIOS passwords and boot order priority favoring the hard drive before anything else). So it can only be used in the case where you have a) forgotten all the passwords relative to that machine or b) don't have passwords to that machine.

Even in a networked environment, this access gets you very little, as a local machine admin still has no privileges on the network. So the best you can hope for here, is that the user keeps sensitive data on their local machine.

Re:Limited Usefulness (1)

torkus (1133985) | more than 6 years ago | (#23541281)

Except you could do this on a machine that gets logged into by a domain admin or similar power user. Heck, you could just fish passwords. Once a box is comprimised anything it accesses can then be comprimised.

Mastercard Ad (5, Funny)

this great guy (922511) | more than 6 years ago | (#23541229)

  • Getting Camstasia Studio to record your BackTrack & Vista sessions: free (you got the free trial version)
  • Downloading a James Bond music to put it in your flash demo: free (you have got crazy peer-to-peer skillz)
  • Showing the world the amazing things you can do with physical access to a box and that it takes you 60 long secs to painfully rename cmd.exe to utilman.exe: ...priceless

System Access v. Admin? (2, Interesting)

pbaer (833011) | more than 6 years ago | (#23541231)

My knowledge of modern windows (XP, Vista) isn't very good, but I've always been under the impression Administrator==root. Is that not so? Is System Access "root" or is there a more powerful level? What are the differences between Administrator, System Access, and any other more powerful levels?

Also, how do I get "root" or the most powerful level of access to an XP machine?

Re:System Access v. Admin? (1)

sandmtyh (560543) | more than 6 years ago | (#23541247)

yes, system access has ability to access ALL non encrypted files reguardless of permissions.

Disk access? (4, Insightful)

shird (566377) | more than 6 years ago | (#23541251)

If they have sufficient access to rename a file, why bother rebooting into windows? Just read/write whatever you want when you have the initial disk access. Hell, modify ntoskrnl etc if you really want to.

I have 5 mod points (0)

Anonymous Coward | more than 6 years ago | (#23541263)

I have 5 mod points...can I mod down the OP for being completely moronic?

Re:I have 5 mod points (1)

sandmtyh (560543) | more than 6 years ago | (#23541393)

you can... but SHOULD you?

Old news (1)

mrbah (844007) | more than 6 years ago | (#23541283)

This attack is ancient. It used to be done in Windows 2000 by replacing the logon screen saver with cmd.exe and waiting 5 minutes.

Why not crack the Administrator password? (2, Insightful)

cciRRus (889392) | more than 6 years ago | (#23541305)

With the ability to boot up a LiveCD, wouldn't retrieving the NTLM password hashes and cracking the passwords with rainbow tables a better idea? The process can be done with Ophcrack [sourceforge.net] within minutes on a modern PC. That way, the attack gains access to the local Administrator account but leaves no traces behind (i.e. no modification of system files).

The Administrator account would then allow the attacker to login into Vista and launch cmd.exe at System-Level. This can be accomplished by using the Task Scheduler at.exe to run cmd.exe at the next minute.

This isn't a real security hole. (5, Insightful)

kiwioddBall (646813) | more than 6 years ago | (#23541313)

Reason : You need access to the system to rename the system files in the first place. To rename system files you need Admin permission.

Definition of a security hole : A security hole allows you to gain system access when you don't have system access in the first place.

Re:This isn't a real security hole. (2, Informative)

mrbah (844007) | more than 6 years ago | (#23541329)

The idea is to boot to an external OS (which can freely access the Windows partition) and modify the file that way.

physical access is root access (1)

LukeCrawford (918758) | more than 6 years ago | (#23541347)

unless you encrypt your disk, if an attacker can cause your computer to boot off of his own media, it's all over.

don't need physical access sometimes. (1)

sandmtyh (560543) | more than 6 years ago | (#23541361)

if someone has installed the recovery console on the machine you can boot the recovery console using boot options screen. step two is to rename the said files, step three is of course 'profit'

Re:don't need physical access sometimes. (1)

GigaplexNZ (1233886) | more than 6 years ago | (#23541467)

Except you need physical access to select the option at the boot screen...

Re:don't need physical access sometimes. (0)

Anonymous Coward | more than 6 years ago | (#23541503)

And just how do you propose booting to the recovery console and doing anything without having physical access?

Mac Control (1)

SuperQ (431) | more than 6 years ago | (#23541383)

This reminds me of the old Mac Control security application. It used an extension to lock out access to applications, except for a password entry dialog application. The dialog application had a special creator attribute. I simply set the creator attribute for a copy of norton disk editor which was great for fixing just about anything I wanted.

I guess... (1)

Bootarn (970788) | more than 6 years ago | (#23541395)

...that this post is about the fact that not much have changed since previous versions of windows, rather than showing off the "attack", since this obviously is a trick that has worked before and is still working. At least that's how I see it.

With this, the bllind can (0, Offtopic)

Provocateur (133110) | more than 6 years ago | (#23541449)

SYstem access (I know, *groan)

Faster than XP (1)

blank89 (727548) | more than 6 years ago | (#23541501)

Damn, that's like 3 minutes faster than taking out XP.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>