Windows security hole gives anyone access to computer without logging into User Account

Every week users are presented with new security bulletins for Windows 7, reminded of attacks via the internet, downloaded malware and many more of the various attacks users use to access someones computer. What is rarely talked about and of no less importance, are the physical attacks a user has to face when someone will try to attack his/her computer.

Take for instance – you have a computer at work and one at home and you sometimes need to bring your work home with you and have very important files stored on your home computer, or you really just don’t want someone accessing your computer. The average user has one line of defense to keep people from logging into your computer and doing what they will to your files and that is setting a user password. More advanced users know other methods such as setting a password via BIOS, but face it, most users have no idea you can do this.

Two weeks ago I wrote a program that allows a user to replace the Ease Of Access Button on the Logon Screen. This was meant as a means to give users more flexibility, as some users do not use the Ease Of Access button. 

While putting this application together I came across something purely by accident. A little modification of the code to my application, and not only could a user replace the Ease Of Access Button, but the user could use this as a means of accessing someone’s computer via the Logon Screen. All one had to do was replace the Ease Of Access Button with “a particular in-built native Windows tool“!

This would potentially allow a user to bypass all users passwords and would allow the user to attach a flash drive … and remove anything from the computer that they wished. Not only would this allow the user to remove files, but a user could delete, modify or move any file on the computer essentially destroying the operating system, in which case you would need to reinstall.

Following is screenshots of my modified application at work:

Test user account, password protected.

passwordscrn 600x450 Windows security hole gives anyone access to computer without logging into User Account

My thumb drive inserted. Shows there are no files on the drive.

nofilesscrn 600x450 Windows security hole gives anyone access to computer without logging into User Account

Browsing the Test account select and copy three files I created to test with.

browseandselectscrn 600x450 Windows security hole gives anyone access to computer without logging into User Account

Copied over to the thumbdrive.

copiedscrn 600x450 Windows security hole gives anyone access to computer without logging into User Account

Logged in, showing the files I copied to the thumbdrive.

finalscrn 600x232 Windows security hole gives anyone access to computer without logging into User Account

 

I have been in contact with Microsoft through several emails explaining the issue, I have also supplied Microsoft with the complete details and the code I used, and so far the response has not been very positive, as it seems the particular employee I have spoken to does not believe this to be an issue. I am still waiting on their next response to see what steps Microsoft may take to remedy this and hopefully they will take the issue seriously.

This was the Microsoft representatives response:

There are a couple of behaviors that make this an issue that we would not consider a security vulnerability from my understanding of your report.

  1. To run a different executable as admin, the file to be changed has to be changed by an admin. The changed utility may then be available to even standard users at logon, but the change must be done by an admin user.
  2. Physical access to the system is necessary in order to carry out this behavior. There are many malicious things a user can do with physical access to a system and while we do publish best practices for physical security of computing resources, we cannot protect against physical access in it entirety.

The following link was provided by Microsoft stating that the issue ranked (2)#3 and (1)#6 on this list: 10 Immutable Laws of Security

What the Microsoft representative failed to understand was a user does not have to be an administrator to run the code. It can be run by anyone with enough knowledge.

My point to Microsoft is simple. Replacing the Ease Of Access Button should not be so simple. Better steps should have been taken to insure that something this critical could not be modified as it is a core element of the Logon Screen. If they cannot ensure this, then there should be an option, to not display this button.

If others feel this to be a serious issue as I believe it is, please contact security (at) microsoft (dot) com and voice your concerns.

Posted by on , in Category Security with Tags
The author, Lee Whittington, loves to use his learned talents to write software as a hobby. He also also enjoys playing with Photoshop and is a serious Windows, Software, Gadgets & a Tech news buff. Lee has studied Visual Basic, C++ and Networking.
  • Daniel

    Wow, this shows how much Microsoft take this sort of stuff. Have you made a video and sent it into microsoft?

  • Daniel

    The other thing, what if someone was remote desktop?

  • ouezezmoaurh
  • Lee@TWC

    Daniel: No I was thinking of putting a video together, just in case others claim I faked it and I may still put one together, what I did do after I was essentially blown off was send them the complete code I used for the application. I have been contacted since and it seems they are looking further into but I am still waiting on another response. Also, this is purely a physical flaw as it requires the user physical access to the computer.

    Ouezezmoaurh: Yes, using similar methods this can be done to access a computer, difference is, if a user never touches the button, one would never know it has been replaced, thus giving a user unlimited access whenever he/she has access to the computer!

  • Abbey

    Although, with physical access to a PC, an expert could probably hack into to your computer, this is making it very easy! A Ease of Access button replacer is available on Deviantart. I suppose one can use it to replace it with a CMD. The logon screen which is supposed to protect me if my computer falls physically in someone elses hands, itself is providing a hole. Wonderful!

  • Jeff Mortenson

    Unfortunately you have just discovered a mindset we in the computer security arena know all too well … Microsoft arrogance. They think “common” users are too stupid to discover security flaws, when in fact it was the hacker community which aided their security teams to secure NT from it’s inception. It was also this very same community which gave us the knowledge that NT could, in fact, become secure enough to run TS documents on – as long as it’s not connected to any other computer! Well, I suppose this little hack proves that Windows’ security is “rock solid” as long as it’s not booted!

  • Susan

    Law number 3 of computer security – http://technet.microsoft.com/en-us/library/cc722487.aspx If I have physical access to your PC I can do anything.

    Read this old story about a similar topic.
    http://netsecurity.about.com/cs/windowsxp/a/aa112103c.htm this is not new.
    The Microsoft person is absolutely right. If I have physical access to your PC I can boot with http://pogostick.net/~pnh/ntpasswd/ and reset the password.

    You have physical access to the PC, you are an admin. It’s not a security issue.

  • Lee@TWC

    Abbey: Yes I know I created the Ease Of Access Button Replacer.
    Jeff: I agree 100% and you see my point exactly as intended.
    Susan: This was never a matter of this is the only way in. This is merely giving users knowledge that a new problem exist and I did it in minutes. which also gives me the ability to do this without a user ever knowing I did it. The problem is you have missed the point completely. Yes this is a new issue, with Windows 7, not XP, yes there are ways of accessing computers using available tools, yes I can access your computer without resetting your password, alerting you in any way. This is my point. It is not an argument, it is merely stating the fact that yes this is a problem.

  • Susan

    It’s not a new issue. If I have physical access to a PC it is no longer a secure system. The underlying “insecurity” has not changed. Give me physical access to a Mac and I can own it as well.

  • Lee@TWC

    Susan: You’re turning this into a debate and a I Can Do This. Anyone with the knowledge can access a computer physically. Your still missing the underlying point behind this article. Nowheres does it say, it is the only way to access a computer. It is a new way (I found) and I am sharing it with everyone that I know (does not) know (this) issue exist. It should have never been as easy as it is to do what I did.

  • Dana

    You clearly have no idea what you are dealing with here. First off, a normal user cannot install this. You must be in an administrative context to do this, which leads to far worse conditions than replacing a file. And if you really want to address this, simply do the following within an elevated administrative cmd window:

    takeown /f %windir%\system32\Utilman.exe
    cacls %windir%\system32\Utilman.exe /C /D Everyone

    By applying this simple ACL, you prevent a bonehead from overwriting the file with your own rogue trojan. Which is what you think you have uncovered.

    Honestly, MS was right. The 10 immutable laws of security are there for a reason. If you truly don’t understand them, there is no hope. You can call this a security flaw all you want. However the weakest link in security is the human factor… thank you for showing us that yet again.

  • http://unixwiz.net Steve Friedl

    Lee: is the user replacing this button an *administrative* user?

  • Lee@TWC

    Dana: ……………… Nothing really to say except yes actually I have alot of ideas about what I am dealing with. Assuming the command you are displaying is how this works, you have no idea what I am dealing with.

    Steve: The application that was originally written runs itself elevated without interaction from the user. Modified, which is what I have shown Microsoft, and what they are looking into, it can be done without needing to be logged on much the same way other tools are used.

    The only difference I have tried to convey to users is not that this is some mind blowing security issue but an issue none the less. As someone who values peoples safety/privacy with their computers, what I see different than other methods mentioned above (password changes……) is the fact that unless someone clicked the Ease Of Access button (which to be honest, most don’t) this could be used as long as the person wanted it to without the owner of the computer knowing, be it their children, family, friends.. whoever can get their hands on it trying to sneak about.

    The comments, claiming how smart you are that you can do this and can do that, that I don’t know anything about it………. w/e the case. This post was merely written to show users of a way that they do not know. No it is not the only way, it is merely a way I came across while writing a simple application for customizers to use. Do I think it the worst, No, but an issue none the less. The case being, it shouldn’t be as easy to do as it is, plain and simple.

  • Recent Comments