Windows Vista is vulnerable to a well-known attack that could enable an attacker to get full access to an exposed machine, according to researchers at McAfee Inc.
The attack is based on an obscure feature in many versions of Windows, including XP and 2000, called StickyKeys. The feature helps disabled users by keeping a key, such as a control or shift key, active until the user presses another key. Windows does not verify the integrity of the file that's used to launch StickyKeys before allowing it to run, creating a problem, McAfee said.
This leaves open all kinds of intriguing possibilities for attackers, the most obvious one being the ability to replace the StickyKeys launch file with another file. As McAfee AVERT Labs researcher Vinoo Thomas points out in a blog post on the vulnerability, "cmd.exe" would be a useful choice.
"After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in his blog entry. "Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system."
An attacker can also use the StickyKeys vector to bypass the normal login procedure for terminal servers and remote desktops, Thomas said.
There are a few factors that can mitigate an attacker's ability to use this method, however, especially in Vista. As part of its focus on finding ways to prevent malware from being installed without users' knowledge, Microsoft Corp. has included in Vista a feature called Windows Resource Protection, which helps prevent users or attackers from making changes to certain files, registry keys and folders. This should make it much more difficult for a cracker to replace the StickyKeys file, but Thomas shows a simple method for bypassing the trusted installer protection.
"To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using [two] commands," Thomas writes. "One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today."