Vista Sticky Keys Backdoor
I know... I'd laugh at the title as well... So let me clarify a few things. I'm not calling this a backdoor... I'm quoting the original post over at McAfee Avert Labs. I also don't agree with the issue here... to put it into a single sentence, it basically says, "If I have physical administrative access to your computer, then I can get system access." I did some testing of this on both XP and Vista (since it's apparently a legacy "backdoor" back as far as 2000) and I'd like to shed some light on it. If this isn't clear yet, I agree with Bill on this subject.
Let's start by declaring what exactly we're looking at. A common accessibility feature in Windows is known as "Sticky Keys" (those of you with your minds in the gutter can take a short break for the toilet humour). This feature is activated by tapping the Shift Key 5 times. The concept with the "backdoor" is that if you replace the Sticky Keys executable (sethc.exe) with another application (perhaps cmd.exe), the new application will be executed when you press Shift 5 times.
So XP first, since this is a legacy backdoor. If I rename sethc.exe to sethc.bak and then copy over cmd.exe, by the time I go to rename it Windows File Protection has restored sethc.exe. Ok, so that's easy enough to bypass... now I've got sethc.exe which is actually just cmd.exe. I press Shift 5 times and sure enough a command prompt opens. Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise... I'm still my user... not System.
Now let's go on to Vista, and I'll admit, I didn't spent very long on my testing... but here's what I found out. Sticky Keys still runs if you press the Shift key 5 times. So let's see if we can "backdoor" it like we did with XP... Sure enough, we can't... We don't have permission to rename it... UAC kicks in but even with that, because of TrustedInstaller, we can't rename it. So Vinoo has provided a method of taking ownership of the file. In the end, I encountered a minimum of 3 UAC prompts and I had to launch an Administrative command prompt. I had to change who I assigned ownership to, since copying the files while in a GUI required my user to have access, not Administrator but that's a minor point. The interesting thing is that if you are logged in you get a standard user command prompt... this was misleading in Vinoo's write-up, the only time you get a system account is if you make use of this from the login screen.
So that sounds like a backdoor and probably a pretty good one... It leaves you a way to come back to the computer later... and as Vinoo says we're talking about insider threats here. If that's the case, one has to question the security of these companies in the first place, allowing their users administrator access to the systems. Essentially that's what it comes down to, an Administrator can backdoor the computer... not an end user, but an Administrator... I'm sure that a malicious insider could find easier ways to get into the system... All this proves is what is already known:
- System access is a hop, skip and a jump from Administrator Access
- Users shouldn't be trusted with Administrator Access
This has been hyped up quite a bit more than it should have been...