Windows Vista Vulnerable to StickyKeys Backdoor

Monday March 12, 2007 at 8:11 am CST
Posted by Vinoo Thomas

Trackback

StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Sounds innocuous, right? Dead wrong!

Apparently, Windows Vista does not check the integrity of the file that launches StickyKeys “c:/windows/system32/sethc.exe” before executing it. Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate as shown in the below screenshot.

Invoking Sticky Keys

Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authority\system account. And from this point on an attacker has full access to the system.

Launching desktop via Sticky Keys

This legacy backdoor method is not something new–Win 2000 and XP are also vulnerable. Applying the latest Windows updates insures that “sethc.exe” is protected by Windows file protection. In Vista replacing system files is a more difficult because of Trusted Installer. However, running the following two commands nullifies this.

takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F

To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using the following commands.

net user USERNAME /add
net localgroup administrators USERNAME

One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today.

Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.

Perhaps one can uninstall the Accessibility Tools feature, which is installed by default to avoid this fairly simple, yet potentially serious built-in backdoor. And don’t forget to hit the shift key five times and see what pops up on your desktop.

http://www.alcancelibre.org/staticpages/index.php/SAMBALDAP-CENTOS5

http://www.revver.com/video/693534/17-tareas-posteriores-a-la-instalacion-de-active-directory/

Hi Folks,

I’ve searched throught this board and noticed a few folks have had this problem…Mine
started after installing an ethernet card….Screen came up blue…..”Registry file
failure. The registry cannot load the hive file System Root\System32\Config\Software

I found this apparent fix when booting from the Windows XP cd….
Quote:
Do you have a XP CD? If so, boot into the recovery console from it and type the following:

cd system32
cd config
ren software software.bak
ren system system.bak
cd ..
cd ..
cd repair
copy software c:\windows\system32\config
copy system c:\windows\system32\config

This restores XP to brand new. You have all data, but a fresh registry. Whatever
you do, DON’T REBOOT UNTIL YOU’RE DONE WHATEVER YOU’RE DOING!!! It will probably
die again.

End of Quote

The problem is that I’m not that great with computers and I followed the wording
EXACTLY…After the first entries I come to
“ren software software.bak” which after I have changed to the Config directory says
“the system cannot find the file or directory specified…I think I’m missing something
here…I just typed “cd..” like it said etc..and it said the same thing..Can someone
clarify EXACTly how this should be typed in in the recovery part of the cd? I also
note it says copy software c:\windows\system32\config
….I have Xp on a d drive (the recovery mode notes the file as D:WinXP
So I assume I should type “d:\winxp\system32 etc….instead?

I have 2 hard drives..the first being a tiny 540k which runs Win95 in emergencies
like this but is pretty useless otherwise…Can someone sort this out for me or suggest
other fixes for this dreaded registry problem…Very depressing..

Thank you for your time.

Kevin

Cisco IOS Software, C3550 Software (C3550-IPBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 30-Aug-05 13:14 by yenanh

Configuring bridges for multiple VLANs
This section will be beefed up a bit later. I’m rushing it out due to popular demand!
Read more… »

How do I configure my Red Hat Enterprise Linux 3 system to use 802.1q Virtual Local Area Network (VLAN) tagging for all network communication?