Exploit allows any application to run on top of Windows 7 login screen

[JMH]

The exploit has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. An article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.

It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
​

http://www.neowin.net/news/exploit-...&utm_campaign=Feed:+neowin-main+(Neowin+News)

 

[zigzag3143]

Requires physical access. One more reason to keep ones machine secure.

 

[niemiro]

Requires physical access. One more reason to keep ones machine secure.

Or remote access provided admin rights can be gained, by, for example, exploiting a specific escalation of priveledge vulnerability in almost any application.

 

[GZ]

Another way to protect workstations is to disable registry edititng. That measure has been taken by the IT department here and keeps all sorts of mischief from happening.

 

[usasma]

12345

....Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. Once in place, it is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.

And I was thinking about doing this to lessen my login time! Guess not now!

 

[cluberti]

Meh - anything that can escalate to admin can do anything on a box. Yet another reason to NOT log on with an admin account on a regular basis, and only use it for admin tasks. Any environment that wishes to be secure probably does this already (plus not allowing registry editing outside of a small admin group and certain service accounts as well), but yes - once you make someone an admin, the control of that box belongs to the person using it, and whatever they may happen to run on it. "Exploits" like this go all the way back to the beginning of NT (using at.exe to get a system-level cmd prompt, for instance).