Home > IT, Security > Vista Sticky Keys Backdoor

Vista Sticky Keys Backdoor

March 13th, 2007 Leave a comment Go to comments

I know... I'd laugh at the title as well... So let me clarify a few things. I'm not calling this a backdoor... I'm quoting the original post over at McAfee Avert Labs. I also don't agree with the issue here... to put it into a single sentence, it basically says, "If I have physical administrative access to your computer, then I can get system access." I did some testing of this on both XP and Vista (since it's apparently a legacy "backdoor" back as far as 2000) and I'd like to shed some light on it. If this isn't clear yet, I agree with Bill on this subject.

Let's start by declaring what exactly we're looking at. A common accessibility feature in Windows is known as "Sticky Keys" (those of you with your minds in the gutter can take a short break for the toilet humour). This feature is activated by tapping the Shift Key 5 times. The concept with the "backdoor" is that if you replace the Sticky Keys executable (sethc.exe) with another application (perhaps cmd.exe), the new application will be executed when you press Shift 5 times.

So XP first, since this is a legacy backdoor. If I rename sethc.exe to sethc.bak and then copy over cmd.exe, by the time I go to rename it Windows File Protection has restored sethc.exe. Ok, so that's easy enough to bypass... now I've got sethc.exe which is actually just cmd.exe. I press Shift 5 times and sure enough a command prompt opens. Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise... I'm still my user... not System.

Now let's go on to Vista, and I'll admit, I didn't spent very long on my testing... but here's what I found out. Sticky Keys still runs if you press the Shift key 5 times. So let's see if we can "backdoor" it like we did with XP... Sure enough, we can't... We don't have permission to rename it... UAC kicks in but even with that, because of TrustedInstaller, we can't rename it. So Vinoo has provided a method of taking ownership of the file. In the end, I encountered a minimum of 3 UAC prompts and I had to launch an Administrative command prompt. I had to change who I assigned ownership to, since copying the files while in a GUI required my user to have access, not Administrator but that's a minor point. The interesting thing is that if you are logged in you get a standard user command prompt... this was misleading in Vinoo's write-up, the only time you get a system account is if you make use of this from the login screen.

So that sounds like a backdoor and probably a pretty good one... It leaves you a way to come back to the computer later... and as Vinoo says we're talking about insider threats here. If that's the case, one has to question the security of these companies in the first place, allowing their users administrator access to the systems. Essentially that's what it comes down to, an Administrator can backdoor the computer... not an end user, but an Administrator... I'm sure that a malicious insider could find easier ways to get into the system... All this proves is what is already known:

  1. System access is a hop, skip and a jump from Administrator Access
  2. Users shouldn't be trusted with Administrator Access

This has been hyped up quite a bit more than it should have been...

Categories: IT, Security Tags:
  1. Caleb
    March 16th, 2007 at 22:51 | #1

    You fail to see other ways an insider can replace this file. An employee with access to the machine can boot it from BartPE or Knoppix and replace the sticky keys file. And once this is done, you have backdoor access to the box with admin right ;-)

  2. March 16th, 2007 at 22:59 | #2

    Caleb:

    It’s definitely not an issue of me not seeing other ways… I suppose we could add a third item to a list…

    3. This is useless in a properly secured environment.

    That would cover your scenarios. In any business environment the BIOS on the machines should be set to only allow boot from HDD. Proper security dictates that CD-Rom, USB and Floppy boot should all be disabled and the BIOS should be locked with a password to prevent that from being changed.

    If your security is lax then you have bigger problems than this one.

  3. Caleb
    March 23rd, 2007 at 03:25 | #3

    Most OEM vendors allow hitting the f2 or f8 key to select bootup device at startup. I know for a fact that Dell and IBM do. Besides it will be interesting to have some statistics on how many admins actually bother to set a password and disable other boot devices to harden the bios.

  4. May 5th, 2008 at 01:17 | #4

    I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html)

    I have seen plenty of places who give admin access to users by default “because it is easier” and “forget” to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off.

  5. Anonymous
    August 19th, 2008 at 00:39 | #5

    In sentence 3 you state:

    “Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise… I’m still my user… not System.”

    You’re supposed to hit Shift 5 times at the Ctrl-Alt-Del Logon Screen, i.e. before you’ve logged on as a user. If you do this, sethc.exe will be invoked as SYSTEM.

  6. Adam
    January 19th, 2009 at 14:20 | #6

    I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html)

    I have seen plenty of places who give admin access to users by default "because it is easier" and "forget" to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off.

  1. No trackbacks yet.