Resilient Windows Vulnerability (Logon Screen StickyKeys Hack)

Resilient Windows Vulnerability (Logon Screen StickyKeys Hack)

During the Windows XP era, a well known vulnerability known as the “StickyKeys hack” was exploited by attackers in order to unlawfully access a computer and gain high-privileged access. This type of exploitation allows an attacker to act as the “NT Authority System”. This special and very powerful account has all the rights over the whole system just like the “root” user in Linux. For example, an attacker acting as “NT Authority System” can among a panoply of things; change and replace system files and reset password on all a computer’s local accounts.

I learned about this vulnerability and how to exploit it since quite some years now and surprisingly, It is still present on the latest version of Windows which is by the time I’m writing this article is Windows 10 Version 1511 with build number 10586.x.

The question is why Microsoft hasn’t patched it yet? Well primarily, this vulnerability is not a bug in itself thus, it cannot be patched. All Microsoft can do about it is to change the way users interact with and trigger the StickyKeys and other executable program at the logon screen where usually the vulnerability is exploited. But still, it does not make any sense at all that Microsoft’s saying Windows is the most secure OS while it completely ignores this resilient vulnerability.

Secondarily, the outcome or benefit of this kind of attack is the same as loading a live Operating System over the targeted machine which means that preventing this kind of attack is almost impossible with the only plausible means being; securing the BIOS, the Input/Output peripherals and ports and physical hardware protection.

Exploiting the vulnerability

The vulnerability is exploited by hijacking the StickyKeys program found at %systemroot%\System32\sethc.exe and replace it with the Windows Command Processor or “cmd.exe” still found at %systemroot%\System32\.

[Screenshots from Windows XP]

VirtualBox_Windows XP_sethc_move

VirtualBox_Windows XP_cmd_ren

After this is done, one can easily launch a Command Prompt session running under the user “NT Authority System” by pressing the “shift” key five times while on the Windows logon screen. From there, it is easy to guess what nasty things an attacker can do with specific commands.

[Hack proof – Windows 7]

VirtualBox_Windows 7_logon-hackscreen

The most tricky part in exploiting this vulnerability is to find a way to interchange the file sethc.exe (StickyKeys) with cmd.exe (Command Prompt) without any access rights first but there are various ways to do this.

However, sethc.exe is not the only file exchangeable with cmd.exe, it can even be interchanged with %systemroot%\System32\Utilman.exe which is the “Ease of Access” program.

Level of vulnerability in different Windows Versions

I have conducted various test of this vulnerability on different versions of Windows with different commands. My observations are as follows:

Some potentially harmful commands I tested was 100% successful on these versions: Windows XP, Windows Vista and Windows 7. 95% of these commands was successful with: Windows 8-8.x and Windows 10. A situation where an attempt was unsuccessful was when trying to change password for an on-line user account on the later versions of Windows.