About Me

Vinoo Thomas

Vinoo Thomas

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Windows Vista Vulnerable to StickyKeys Backdoor

Monday, March 12, 2007 at 8:11am by Vinoo Thomas
Vinoo Thomas

StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Sounds innocuous, right? Dead wrong!

Apparently, Windows Vista does not check the integrity of the file that launches StickyKeys “c:/windows/system32/sethc.exe” before executing it. Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate as shown in the below screenshot.

Invoking Sticky Keys

Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authority\system account. And from this point on an attacker has full access to the system.

Launching desktop via Sticky Keys

This legacy backdoor method is not something new–Win 2000 and XP are also vulnerable. Applying the latest Windows updates insures that “sethc.exe” is protected by Windows file protection. In Vista replacing system files is a more difficult because of Trusted Installer. However, running the following two commands nullifies this.

takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F

To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using the following commands.

net user USERNAME /add
net localgroup administrators USERNAME

One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today.

Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.

Perhaps one can uninstall the Accessibility Tools feature, which is installed by default to avoid this fairly simple, yet potentially serious built-in backdoor. And don’t forget to hit the shift key five times and see what pops up on your desktop. ;-)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Older Comments

Comments (32)

  • mcgrimus May 5, 2009 4:46AM

    “Windows Vista Vulnerable to StickyKeys Backdoor”

    Am I really the first one here to say, “That’s what she said!” to this??

    Reply
  • Someone May 1, 2009 10:59PM

    Works on 100% of campus computers. Kind of scary the potential information someone nefarious can get. Keylogger anyone?

    Reply
  • Mervin June 29, 2008 10:09AM

    “an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.”

    I just discovered couple of terminal servers in our university network where one could remote backdoor into using this Sticky-key backdoor method with full SYSTEM rights. So this technique is being used by bad guys and its shocking that M$ still don’t protect sethc.exe and utilman.exe with windows file protection!!!

    Reply
  • Joe June 14, 2008 9:20AM

    Or, you could just turn off StickyKeys altogether. That would just about solve that problem.

    Reply
  • Rory June 11, 2008 12:46PM

    WRONG!
    You don’t need admin access. Pop in Auditor or backdoor linux boots and in five minutes flat you can have the ‘sploit in place and running.

    Reply
  • GhaFear May 27, 2008 8:12AM

    I see a point, as far as the exe can’t be replaced unless you have admin access.

    But I have a problem with the login and loading a desktop. There should no way under any situation it being able to bypass it.

    GhaFear

    Reply
  • JesusE. April 7, 2008 11:52PM

    Sometimes the Stickykeys dialog box appear when no body are using the computer, as if someone had pressed 5 times the shiftkey. Will be some unauthorized external access?

    Reply
  • Jerry February 21, 2008 11:49PM

    “As for the usability. I can see some uses that this can be utalized for. This is just but one of many “Bugs” that Microsoft has in it s OS. Vista, XP . …. etc..”

    This is not a Microsoft specific “BUG”, you can do the same on Linux, BSD, …. PS: I’m not a M$ fans.

    So the first security step is to lock your system physically.

    Reply
  • Revan September 21, 2007 12:37AM

    You know… being a network engineer for a little while have thought me one thing. The fact that I have a physical and unsupervised access to the machine is a security concern for a client, for the only thing between their business being secured or unsecured is my business ethics.

    Exploits that require modifications and other things are really waste of time as anyone who wants your data can obtain it very easily anyway.

    I always tell my clients that if someone wants to steal their data they will drive a truck through the front door and walk away with their server, much cheaper, more efficient and less time consuming.

    Kind Regards

    Reply
  • BlueBox August 20, 2007 4:05PM

    Gaining Admin rights on a System using XP or Vista is not hard with BartPE builder Using a old build you can Null out a Admin password ( on the local side ) or creat a user with admin rights.

    As for the usability. I can see some uses that this can be utalized for. This is just but one of many “Bugs” that Microsoft has in it s OS. Vista, XP . …. etc..

    And as far as all the other complaints .. What if These scripts were added to a “file say jpeg” that ran as a bkgd script when you download a pic from your email. Bam your system just has had this enabled .. Now If you have any type of say vnc or any other outside access to your pc enabled then anywoodbee hacker has full “SYSTEM” privs fark admin privs your pc / server cld be down in seconds.

    Just my thoughts on this matter. me I just disable the function. why leave something like this open to start with.

    Reply
  • Fouldini August 4, 2007 1:58AM

    To everyone who is bitching about ‘you already need to have admin to do this’, that is possibly the most retarded thing ive ever heard.

    I personally have a backdoor like this running on my non *nix systems just in case someone manages to change the password, it saves me a hell of a lot of time cracking the SAM file.

    Reply
  • gjh June 11, 2007 8:28AM

    I hope that you all realise that sticky keys are extremely important to those of us who dn’t have full dexterity or sight. I am a blind person using a screen reader and although I accept there may be some vulnerability here, I cannot condone the taking away of something which makes computers accessible to those who otherwise couldnt utilise them
    You may also be interested to know (if you care that is) that the fields to fill in to send this response aren’t exactly over-friendly. Thanks GJH.

    Reply
    • « Older Comments