Sticky Keys
Monday 12th March, 2007 17:29 Comments: 0
For a moment I thought someone had found the Holy Grail, a way to get SYSTEM on Vista without having to be authenticated (much like the old Korean version Terminal Services issue on Windows 2003 a while back). It turns out it's a lot harder to achieve.
Background:
StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Vista does not check the integrity of the file that launches StickyKeys before executing it, which means you can replace it with another executable and run it by depressing the shift key five times. A popular replacement is cmd.exe. After replacement, one could invoke this command prompt at the login prompt without the need to authenticate.
Mitigation:
AKA why the world isn't ending. The StickyKeys file sethc.exe is protected by Windows file protection. The default permissions only allow Read & Execute and Read access to SYSTEM, Administrators and Users. The only user that has Full Control is TrustedInstaller.
Aside from getting TrustedInstaller to somehow change the file over for you, you have to adjust the permisions using an Administrator account. Assuming you don't have control of the GUI, you can do this by running:
takeown /f c:\\windows\\system32\\sethc.exe
cacls c:\\windows\\system32\\sethc.exe /G administrator:F
That also needs to be performed in an elevated Command Prompt (unless UAC is disabled; I'm not very sympathetic if people do that and get caught out). The thing is, if you're executing commands with an elevated Command Prompt, an easier method would perhaps be to create a new user and add this user to the administrators group via the net command, then use this account to rightfully log.
net user USERNAME /add
net localgroup administrators USERNAME
Some people might say that an additional user account isn't very subtle (although I believe you can hide it on the logon screen by changing a registry setting); I don't think a Command Prompt coming up whenever you hit the shift key five times is particularly subtle either.
It's an interesting way of getting SYSTEM access without having to authenticate, but if someone already has that much control over your computer to create this rather abstract scenario, you have bigger things to worry about.
Background:
StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Vista does not check the integrity of the file that launches StickyKeys before executing it, which means you can replace it with another executable and run it by depressing the shift key five times. A popular replacement is cmd.exe. After replacement, one could invoke this command prompt at the login prompt without the need to authenticate.
Mitigation:
AKA why the world isn't ending. The StickyKeys file sethc.exe is protected by Windows file protection. The default permissions only allow Read & Execute and Read access to SYSTEM, Administrators and Users. The only user that has Full Control is TrustedInstaller.
Aside from getting TrustedInstaller to somehow change the file over for you, you have to adjust the permisions using an Administrator account. Assuming you don't have control of the GUI, you can do this by running:
takeown /f c:\\windows\\system32\\sethc.exe
cacls c:\\windows\\system32\\sethc.exe /G administrator:F
That also needs to be performed in an elevated Command Prompt (unless UAC is disabled; I'm not very sympathetic if people do that and get caught out). The thing is, if you're executing commands with an elevated Command Prompt, an easier method would perhaps be to create a new user and add this user to the administrators group via the net command, then use this account to rightfully log.
net user USERNAME /add
net localgroup administrators USERNAME
Some people might say that an additional user account isn't very subtle (although I believe you can hide it on the logon screen by changing a registry setting); I don't think a Command Prompt coming up whenever you hit the shift key five times is particularly subtle either.
It's an interesting way of getting SYSTEM access without having to authenticate, but if someone already has that much control over your computer to create this rather abstract scenario, you have bigger things to worry about.