1. #1
    Moderator, News & Information
    BSOD Kernel Dump Analyst
    Contributor
    JMH's Avatar
    Join Date
    Apr 2012
    Posts
    7,194

    Exploit allows any application to run on top of Windows 7 login screen


    The exploit has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. An article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.

    It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
    http://www.neowin.net/news/exploit-a...Neowin+News%29
    niemiro says thanks for this.


    MVP 2013 - 2016

    Microsoft Community Contributor
    Windows Insider MVP July 2016 to end June 2017
    Dyami & Wankiya
    Team Zigzag




    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    zigzag3143's Avatar
    Join Date
    Mar 2012
    Posts
    3,741
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        DV7
      • Cooling:
        Coolermaster U3 best in class
      • Operating System:
        Win 8 RTM

    Re: Exploit allows any application to run on top of Windows 7 login screen

    Requires physical access. One more reason to keep ones machine secure.
    niemiro says thanks for this.

    MS-MVP Windows IT-PRO 2010-2017
    MCC-2013-2017
    Wankiya & Dyami
    Team ZigZag





  3. #3
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,865

    Re: Exploit allows any application to run on top of Windows 7 login screen

    Quote Originally Posted by zigzag3143 View Post
    Requires physical access. One more reason to keep ones machine secure.
    Or remote access provided admin rights can be gained, by, for example, exploiting a specific escalation of priveledge vulnerability in almost any application.
    Last edited by niemiro; 05-29-2012 at 05:38 AM.

  4. #4
    GZ's Avatar
    Join Date
    Apr 2012
    Location
    New Jersey
    Posts
    1,923
    • specs System Specs
      • Manufacturer:
        GZ Technologies LLC
      • Model Number:
        Phenom-INAL
      • Motherboard:
        ASUS M5A97-EVO
      • CPU:
        AMD PhenomII x6 (1100T)
      • Memory:
        16GB Kingston Hyper-X blu PC3-12800
      • Graphics:
        XFX Radeon HD6770
      • Sound Card:
        Realtek ALC892
      • Hard Drives:
        500GB WD Caviar Black / 1TB WD Caviar Black / 1TB Seagate / 500GB Hitachi
      • Disk Drives:
        HP DVD 1270i SATA DVD RW
      • Power Supply:
        Corsair 850TX
      • Case:
        Antec 300
      • Cooling:
        Coolermaster V8 / 2x 12CM intake / 1x 12CM rear exhaust / 1x 14CM top exhaust
      • Display:
        Acer 23in 1920x1080 / Acer 20in
      • Operating System:
        Microsoft Windows 8 Professional x64

    Re: Exploit allows any application to run on top of Windows 7 login screen

    Another way to protect workstations is to disable registry edititng. That measure has been taken by the IT department here and keeps all sorts of mischief from happening.

    "Among the tales of sorrow and of ruin that come down to us from the darkness of those days there are yet some in which amid weeping there is joy and under the shadow of death light that endures."

    J.R.R. Tolkien - The Silmarillion

  5. #5

    Join Date
    Feb 2012
    Posts
    2,086
    Blog Entries
    7

    Re: Exploit allows any application to run on top of Windows 7 login screen

    12345
    ....Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. Once in place, it is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.
    And I was thinking about doing this to lessen my login time! Guess not now!
    JMH says thanks for this.

  6. #6

    Re: Exploit allows any application to run on top of Windows 7 login screen

    Meh - anything that can escalate to admin can do anything on a box. Yet another reason to NOT log on with an admin account on a regular basis, and only use it for admin tasks. Any environment that wishes to be secure probably does this already (plus not allowing registry editing outside of a small admin group and certain service accounts as well), but yes - once you make someone an admin, the control of that box belongs to the person using it, and whatever they may happen to run on it. "Exploits" like this go all the way back to the beginning of NT (using at.exe to get a system-level cmd prompt, for instance).
    JMH, Corrine, James7679 and 2 others say thanks for this.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

Similar Threads

  1. [SOLVED] Windows 7, Windows Update 80072F8F / HTTPS / MSN login issues
    By Paz in forum Windows Update
    Replies: 11
    Last Post: 12-27-2012, 03:31 AM
  2. BSODs every single start-up - 99% cant get to windows login screen
    By success17 in forum BSOD, Crashes, Kernel Debugging
    Replies: 7
    Last Post: 12-04-2012, 09:44 PM
  3. New Java Exploit to Debut in BlackHole Exploit Kits
    By satrow in forum Security News
    Replies: 0
    Last Post: 07-05-2012, 12:39 PM
  4. [SOLVED] Frequent BSoD, 3 times a day, BSoDs every 5 minutes when login screen.
    By Rebellion in forum BSOD, Crashes, Kernel Debugging
    Replies: 90
    Last Post: 06-20-2012, 04:03 AM
  5. Microsoft Details Windows 8ís Mail Application
    By zigzag3143 in forum Microsoft News
    Replies: 0
    Last Post: 06-18-2012, 03:45 PM

Log in

Log in