Vista vulnerable to 'Sticky Keys' backdoor

Summary:From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.

From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.

McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.
Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is "cmd.exe." After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in a note posted on the McAfee Avert blog.
Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system.

Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks.  For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.  

An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor.  McAfee's Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.
Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft's own files to archive this, it will be difficult to detect for a typical administrator.
[NOTE: Sticky Keys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as Shift, Ctrl, Alt, or the windows key, and have it remain active until another key is pressed. WIndows Vista users can activate the feature by pressing the Shift key five times].

Topics: Windows, Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.