Vista vulnerable to 'Sticky Keys' backdoor

Vista vulnerable to 'Sticky Keys' backdoor

Summary: From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.

SHARE:
TOPICS: Windows, Microsoft
12
From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.

McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.
Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is "cmd.exe." After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in a note posted on the McAfee Avert blog.
Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system.

Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks.  For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.  

An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor.  McAfee's Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.
Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft's own files to archive this, it will be difficult to detect for a typical administrator.
[NOTE: Sticky Keys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as Shift, Ctrl, Alt, or the windows key, and have it remain active until another key is pressed. WIndows Vista users can activate the feature by pressing the Shift key five times].

Topics: Windows, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • well that was dumb....

    I agree it's kinda useless, but still, what a dumb thing not to address.
    JoeMama_z
  • HATE that "feature" enought that it is turned off on my computer. (NT)

    :)

    .
    wessonjoe
    • Yeah. It sure does mess up using Visual Pinball, etc.

      Press either flipper (the two [Shift] keys) five times in a row, or hold it down for several seconds (both of which are very likely to happen during the course of a typical pinball game), and you activate one of the accessibility features, disrupting the game.

      The Space Cadet pinball that comes with Windows is not vulnerable to this, since it cannot use the two Shift keys as its flipper keys (it defaults to [Z] and [?/] instead). It's also pathetic in comparison to the free Visual Pinball, which, in conjunction with the likewise free VPinMAME, can simulate just about any pinball machine ever made, and let you play or even make your own custom pinball or pinball-like machines that never existed in the real world.
      Joel R
  • Interesting, but it's not a vulnerability

    This is interesting because it involves a seldom-used, obscure accessibility feature. But it is not a vulnerability.

    If you read only one sentence of this article, this is the most important one: "For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable."

    Thomas seems to continue with "Oh, but... oh, but..." as he tries to come up with ways that this is still a vulnerability. "...a determined attacker can always find workarounds to elevate user rights." Well, then *those*
    "workarounds", if any, are where vulnerabilities lie. The StickyKeys "vulnerability" is NOT a vulnerability at all.
    PB_z
    • Not quite true

      At the community college where I go, each compy lab has a timekeeper computer that runs an application that everyone has to sign into so that the lab can record their time (I don't know why they do this). Every timekeeper runs from an admin account, and are easily accessable to students. At points where the lab is nearly deserted, anyone with a pre-programmed hack on a flash-drive could access the computers, with admin privilages, but just not for long time. So sticky-keys could be a problem in that situation.
      Bucky24
      • That's your lab & timekeeper's problem, not Windows'

        Sounds like your lab's admins need to find a better solution that doesn't involve making an administrative program accessible to end users.
        PB_z
  • Amazing

    People are trying SO hard to make Vista look vulnerable. This particular blog is a perfect example. As others have pointed out, this is not a vulnerability since you need to be logged on as admin to "exploit" this in the first place. Come again?

    You'd think people posting articles/blogs on a technical website would not need to use misleading headlines like "Vista vulnerable to 'Sticky Keys' backdoor" to get hits, but there you go.

    And people talk about "The FUD coming out of Redmond". Go take a look in the mirror, Mr Naraine...
    Qbt
  • Why don't they just...

    ...run a story with the headline:

    "Vista shock - Administrators able to delete files!!"

    This makes no sense and is pure sensationalism.
    anthony.w.ryan@...
  • Notice who is saying these things

    Nearly every attack on Vista security comes from a "Researcher" associcated with McAffee, Symantec or one of the other anti-virus companies. Of course they want you to believe your computer is as vulnerable as ever - otherwise you will stop paying for their added security.
    jacobsrl
    • LOL

      [i]Nearly every attack on Vista security comes from a "Researcher" associated with McAfee, Symantec or one of the other anti-virus companies. Of course they want you to believe your computer is as vulnerable as ever - otherwise you will stop paying for their added security.[/i]
      With the wide holes in Windows OneCare (and the other tools Microsoft provides, example follows, (confirmed by independent researchers)) I wonder that anyone would trust Microsoft to protect their empty lunch bag, much less against viruses, trojans and the like.

      Example: I knew I had two trojans on my box (just not in the path or where normal users could even see them) when I ran Microsoft's Malicious Software Removal tool last month. It missed both. Makes you feel real safe, doesn't it? Sophos found and nuked both.

      All that being said, I will admit that this sounds more like a poorly-thought-out feature than a vulnerability. Nobody, but nobody needs to run as NT SYSTEM AUTHORITY. StickyKeys is an annoyance to me, but I have it left on for specific reasons.
      Raymond Danner
  • Completely wrong

    SETHC.EXE is protected by WIndows file Protection. IF is is changed or replaced the system will put the correct file back from teh file cache.

    The only way to override this is with the installer or by turning off protection.

    This is one good reason why no one should run as an administrator. If you are not using an admin account then trojans and malware cannot easily fool you into installing malwarre that can exploit this.

    It's not a vulnerability anymore than any other file. Excuring cmd.exe before login runs CMD with iimited capability.
    jvierra
  • Comes in handy...

    ...when you need to change the admin password on a PC that for some reason nobody seems to remember anymore. Boot with a DOS disk, use NTFS4DOS to mount the boot volume, and change the files. Then use it to change the pw for the admin.
    axarce@...