Comments on: Vista Sticky Keys Backdoor http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/ Sharing my thoughts with the world. Wed, 16 Nov 2011 02:58:20 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Adam http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-77459 Adam Mon, 19 Jan 2009 14:20:06 +0000 http://www.computerdefense.org/?p=286#comment-77459 I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html) I have seen plenty of places who give admin access to users by default "because it is easier" and "forget" to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off. I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html)

I have seen plenty of places who give admin access to users by default "because it is easier" and "forget" to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off.

]]> By: Anonymous http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-62257 Anonymous Tue, 19 Aug 2008 04:39:56 +0000 http://www.computerdefense.org/?p=286#comment-62257 In sentence 3 you state: "Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise... I'm still my user... not System." You're supposed to hit Shift 5 times at the Ctrl-Alt-Del Logon Screen, i.e. before you've logged on as a user. If you do this, sethc.exe will be invoked as SYSTEM. In sentence 3 you state:

“Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise… I’m still my user… not System.”

You’re supposed to hit Shift 5 times at the Ctrl-Alt-Del Logon Screen, i.e. before you’ve logged on as a user. If you do this, sethc.exe will be invoked as SYSTEM.

]]> By: Adam http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-49566 Adam Mon, 05 May 2008 05:17:59 +0000 http://www.computerdefense.org/?p=286#comment-49566 I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html) I have seen plenty of places who give admin access to users by default "because it is easier" and "forget" to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off. I agree that this is more a proof of concept than a vulnerability. It does however highlight the fact that if you do have physical access to the system; there is nearly always a way in (BIOS level controls can be easily by-passed). It has even been shown that whole disk encryption may be vulnerable to cold boot attack (http://citp.princeton.edu/memory/) and MS have made a nice little USB device which gives investigators full access to Vista, by passing everything including Bit-Locker (http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html)

I have seen plenty of places who give admin access to users by default “because it is easier” and “forget” to lock their sever rooms. So this may be a proof of concept and there may be other ways in, but none the less it highlights the need for good physical security in server rooms and the use of a robust security policy that makes data on stolen devices hard to get off.

]]> By: Caleb http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-4906 Caleb Fri, 23 Mar 2007 08:25:30 +0000 http://www.computerdefense.org/?p=286#comment-4906 Most OEM vendors allow hitting the f2 or f8 key to select bootup device at startup. I know for a fact that Dell and IBM do. Besides it will be interesting to have some statistics on how many admins actually bother to set a password and disable other boot devices to harden the bios. Most OEM vendors allow hitting the f2 or f8 key to select bootup device at startup. I know for a fact that Dell and IBM do. Besides it will be interesting to have some statistics on how many admins actually bother to set a password and disable other boot devices to harden the bios.

]]> By: Tyler Reguly http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-4591 Tyler Reguly Sat, 17 Mar 2007 03:59:24 +0000 http://www.computerdefense.org/?p=286#comment-4591 Caleb: It's definitely not an issue of me not seeing other ways... I suppose we could add a third item to a list... 3. This is useless in a properly secured environment. That would cover your scenarios. In any business environment the BIOS on the machines should be set to only allow boot from HDD. Proper security dictates that CD-Rom, USB and Floppy boot should all be disabled and the BIOS should be locked with a password to prevent that from being changed. If your security is lax then you have bigger problems than this one. Caleb:

It’s definitely not an issue of me not seeing other ways… I suppose we could add a third item to a list…

3. This is useless in a properly secured environment.

That would cover your scenarios. In any business environment the BIOS on the machines should be set to only allow boot from HDD. Proper security dictates that CD-Rom, USB and Floppy boot should all be disabled and the BIOS should be locked with a password to prevent that from being changed.

If your security is lax then you have bigger problems than this one.

]]> By: Caleb http://www.computerdefense.org/2007/03/vista-sticky-keys-backdoor/comment-page-1/#comment-4589 Caleb Sat, 17 Mar 2007 03:51:09 +0000 http://www.computerdefense.org/?p=286#comment-4589 You fail to see other ways an insider can replace this file. An employee with access to the machine can boot it from BartPE or Knoppix and replace the sticky keys file. And once this is done, you have backdoor access to the box with admin right ;-) You fail to see other ways an insider can replace this file. An employee with access to the machine can boot it from BartPE or Knoppix and replace the sticky keys file. And once this is done, you have backdoor access to the box with admin right ;-)

]]>