Windows Vista security
So you got the brand-new windows rendition? Are you feeling secure now that you run the most secure windows ever? Well take a look at this and wonder how come Microsoft just doesn’t understand security. In this case priviliges are assigned based on a filename (Utilman.exe). So what happens when you rename another binary to Utilman.exe? Take a look and laugh your ass off. I’ve said it many times before and I will repeat it over and over again: Microsoft sucks!! They really don’t get security, they really don’t.
Here’s your video. Be careful I almost forgot to breathe while laughing. Hats off to the guys at offensive security. You almost killed me with this.
Backtrack is a live linux distro. You can boot it on any system to get a full working linux environment. That is used to copy the cmd.exe to Utilman.exe
May 26th, 2008 at 11:58
Oh.
My.
God.
This is killing. Someone should be axed for allowing this to get in!
May 26th, 2008 at 22:13
Dat linux is dus een hackertool en moet verboden worden!!
De beveiliging kraken is verboden. Computervredebreuk!
May 27th, 2008 at 0:10
*ANY* physical access to a machine means by definition that the machine is hacked, no matter the OS. I have these CDs that crack Windows and Linux alike, have even used the Windows one quite recently at some place that I cannot disclose.
So nothing to see here, move along. Video is funny tho, with the Explorer running in front of the login screen. My approach is a little nicer and allows you to login with administrator or system accounts normally.
To protect against all this, do the following: set a BIOS password and BIOS admin password, in the BIOS setup to not allow booting from CD, USB, etc., only from hard disk, use (preferably full disk) encryption and physically lock the PC’s case with a padlock.
Locking the case is only a deterrent. If one really, really wants (think (corporate) espionage or criminal (information) theft, same thing as far as I’m concerned), these locks are easy to break open or (more hassle tho) one could use a cutter to cut open the case in case the info is all you want.
Once the case is open, other stuffs can be done (resetting BIOS to default values by removing the battery, removing the disk and putting it in another system and I remember them good ol’ SGI Indies that had a jumper that reset the local root password
In case the disk contains confidential information, that’s where full disk encryption comes in handy. You may have lost the disk, but at least your info is not in the wild.
May 27th, 2008 at 0:12
Crap!!! Forgot to post anonymously as Herr Oberst Ernst H.B.!!! Now his cartoon Nazis are on to me!!! Argh!!! Quick, where’s my tinfoil hat!?!?
May 27th, 2008 at 7:31
The big fuckup here is not that the machine can be compromised by physical access. The big fuckup is that a user is allowed to start a program (with root privileges) WITHOUT EVEN AUTHENTICATING. The whole idea of the logon screen is that a user is required to authenticate BEFORE using the computer.
Now any system can be compromized when physical access is provided but this is part of the defined behaviour of Vista. You shouldn’t let a user start any program without authenticating first. Security rule #1: don’t trust the guy at the keyboard.
If Microsoft would make a Linux distro it would look like this:
May 27th, 2008 at 8:20
Hahaha geweldig!! Dit is inderdaad het niveau en de manier waarop onze bestuurders technologie benaderen. Dit zou zo maar op een boze dag in de krant kunnen staan. Ze hebben namelijk geen idee waar ze mee bezig zijn. Dat blijkt wel uit het feit hoe er werd omgegaan met de heisa rondom de stemmachines en het debakel van de OV-chipkaart.
May 27th, 2008 at 18:11
Ok, you asked for it, let the flame wars begin
Hacking a Unix so you do not have to authenticate to become root. We don’t even need to run some program that happens to be run as system user. Waaaay too complicated.
‘ere we go: start you’re favorite Linux live CD and mount the root partition of the targeted machine on e.g. /mnt. Once mounted:
# cd /mnt/etc/init.d
# vi rc
In this file, directly after:
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
Add:
mount -o remount,rw /
exec /bin/sh
Save the file and restart the target machine and lo and behold (zomfg, p0wned, ftw
Look ma, no login prompts… Don’t even have to press enter to become root as I have to with Redmond Linux
Mwuuuuuhahahahahaha!
May 28th, 2008 at 7:41
ALRIGHT NOW! The first official BloggEd! FLAMEWAR has started!!
Yes, yes… blah blah, we all know that. You don’t have to go to all the trouble you describe. Just replace init with anything you like. On most Unix systems you don’t even need to change the setup. Just boot to single user mode, most systems will not prompt for root password.
Is this a problem?: NO
Like stated before: physical access to a system allows it to be compromized.
So I’ll repeat it once again:
The fuckup is that the Vista™® logon screen allows the user to START AN EXTERNAL PROGRAM (WITH SYSTEM PRIVILEGES) WITHOUT AUTHENTICATION
So the joke about MS™® Redmond™® Linux™® 2009™® Ultimate™® Server™® Edition™® having a login that allows you to authenticate or start an external program with root privileges (a shell in this case) is not a joke. It is actually what the vista logon screen allows a user to do: “authenticate OR run a specific command with system privileges (without authentication). That is BAD design.. The only option should be ‘restart’ or ‘authenticate’. After authentication programs can be started on behalf of that user.
You may disagree, and probably will because you really start to sound like an MS®-fanboy™ now, but don’t keep reiterating the fact that physical access allows a system to be compromised because we agree on that. We all know and we all agree…