Windows Vista Vulnerable to StickyKeys Backdoor

By , March 20, 2007 5:02 pm

This vulnerability was discovered by a McAfee researcher, Vinoo Thomas. According to his blog, the StickyKeys can be modified to launch an unauthorised software when triggered.

StickyKeys is a accessibility feature in modern Wndows system to aid disabled users. To trigger, the user needs to hit the modifier key such as ‘Shift’ for five times and once triggered, the modifer keys would “stick”, as though it had been pressed. For example if ‘Shift’ is the modifier key, when triggered, you only need to hit ‘F1’ key inorder to execute ‘Shift + F1’. The StickyKeys can be trigger at the login page, thus implying that no authentication is done prior to triggering the StickyKeys.

This vulnerability involves modifying the file “c:/windows/system32/sethc.exe” that launches StickyKeys. Windows Vista does not do integrity check on the file before executing it, but the file is protected by the Windows file protection. Disabling the file protection is however easy by using the following command.

takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F

It is noted that using this vulnerability, one can disable the file protection, modify “c:/windows/system32/sethc.exe” such that “cmd.exe” is launched instead. So, the attacker can trigger the StickyKeys at logon to launch “cmd.exe” then proceed to add himself as an administrator by using the following command.

net user USERNAME /add
net localgroup administrators USERNAME

However, the catch is that in order to disable the file protection, one needs to have administrator rights. It doesn’t make sense of performing a long chain of actions to create an administrator account when the attacker already has administrator access to the system.

Be Sociable, Share!

Leave a Reply

Panorama Theme by Themocracy