exploit the possibilities

Windows 7 SP1 Local Access SYSTEM Compromise

Windows 7 SP1 Local Access SYSTEM Compromise
Posted Jun 28, 2013
Authored by Anastasios Monachos

If you have physical access to a Microsoft Windows 7 SP1 instance, you can leverage the "Launch startup Repair" functionality to gain SYSTEM access.

tags | exploit
systems | windows, 7
MD5 | c52e640cc11080951b3b69430724c758

Windows 7 SP1 Local Access SYSTEM Compromise

Change Mirror Download
##############################################################################################
# Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]
# Vendor: Microsoft
# Affected Software: Windows 7 SP1 (and probably other)
# Title: Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required
# See also: http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html
##############################################################################################

Just wanted to share with you the below, which I have already communicated with
Microsoft - according to MSRC team "An attacker with unrestricted physical
access can certainly manipulate a system in multiple ways. This is not
something we consider a security vulnerability." thus no CVE "Computer owners
should provide for physical security of systems as part of best practices.
There is more discussion of physical access in the "10 Immutable Laws
of Security" (http://technet.microsoft.com/en-us/library/hh278941.aspx)
under Law #3".

The scenario is as follows:

1. Windows 7 SP1, and
2. Workstation with BIOS settings to restrict boot up from CD, and
3. Workstation joined in Windows Active Directory or Standalone

By forcing the machine to boot or shutdown abnormally (eg pressing the
ctl+alt+del during bootup or press the power button (kill) during shutdown)
Windows will enter the "Windows Error Recovery" menu asking us whether we
wish to "Launch startup Repair (recommended)" or "Start Windows Normally"

Select the "Launch Startup Repair (recommended)"

Recovery process will display a "Windows is loading files...." message,
then after a while we enter the "Startup Repair" process (graphical
interface)
A message might appear asking you if you want to "Restore your computer
using System Restore", select Cancel, if it does.
Shortly, a new message box will come up prompting us "Send information
about the problem (recommended)" or "Don't send" and at the bottom of
this dialog box the option with label "View problem details" exist.
Click on "View problem details", you will get information such as
"Problem signature" and more.

Note that at the very bottom of this textarea a link exists which points
to the X drive (X:\windows\system32\en-US\erofflps.txt)

Clicking on the link; Notepad launches

From there, one can go to File | Open view all contents of the C/D/X/etx
drive (c:\documents and settings\\* and any other drive available) copy
files to/from different locations/drives, create files, launch cmd.exe,
backdoor Windows etc.

Through ms-dos prompt we noticed we had been granted with
"nt authority\system" privileges which makes sense having so, to perform
the recovery operation, but it's too easily for anyone to abuse them
providing he has casual physical access (eg in environments such as
libraries, universities, offices, reception front desks etc; I will
leave your imagination from this point to work:)

As probably others may agree with me, "nt authority\system" access should
not be so easy given (or acquired by default, design, whatever, name it),
at a minimum a password prompt or other control should exist to prevent
the ownage.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close