Tech
Vista vulnerable to 'Sticky Keys' backdoor
From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.
From the "neat-find-department" comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited -- under perfect circumstances -- to launch malicious executables.
McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.
Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks. For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.
An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor. McAfee's Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.
McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.
Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is "cmd.exe." After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in a note posted on the McAfee Avert blog.Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system.
Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks. For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.
An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor. McAfee's Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.
Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft's own files to archive this, it will be difficult to detect for a typical administrator.[NOTE: Sticky Keys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as Shift, Ctrl, Alt, or the windows key, and have it remain active until another key is pressed. WIndows Vista users can activate the feature by pressing the Shift key five times].