6 May 2013

Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required

Just wanted to share with you the below, which I have already communicated with Microsoft - according to MSRC team "An attacker with unrestricted physical access can certainly manipulate a system in multiple ways. This is not something we consider a security vulnerability." thus no CVE "Computer owners should provide for physical security of systems as part of best practices. There is more discussion of physical access in the "10 Immutable Laws of Security" (http://technet.microsoft.com/en-us/library/hh278941.aspx) under Law #3".

The scenario is as follows:
  1. Windows 7 SP1, and
  2. Workstation with BIOS settings to restrict boot up from CD, and
  3. Workstation joined in Windows Active Directory or Standalone
By forcing the machine to boot or shutdown abnormally (eg pressing the ctl+alt+del during bootup or press the power button (kill) during shutdown) Windows will enter the "Windows Error Recovery" menu asking us whether we wish to "Launch startup Repair (recommended)" or "Start Windows Normally"

Select the "Launch Startup Repair (recommended)"

Recovery process will display a "Windows is loading files...." message, then after a while we enter the "Startup Repair" process (graphical interface)
A message might appear asking you if you want to "Restore your computer using System Restore", select Cancel, if it does.
Shortly, a new message box will come up prompting us "Send information about the problem (recommended)" or "Don't send" and at the bottom of this dialog box the option with label "View problem details" exist. Click on "View problem details", you will get information such as "Problem signature" and more.

Note that at the very bottom of this textarea a link exists which points to the X (temporary RAMDISK) drive (X:\windows\system32\en-US\erofflps.txt),

Clicking on the link; Notepad launches.

From there, one can go to File | Open view all contents of the C/D/X/etc drive, copy files to/from different locations/drives (copy files from others' C:\documents and settings\* profiles, Documents, Desktop etc), create files, launch cmd.exe. As you may have guessed all cmd commands will run from X's ramdrive context, which means you cannot just "net user newuser password /add && net localgroup administrators newuser /add" and expect newuser be there on next reboot), you may though backdoor C's Windows through other techniques;) and manipulate the filesystem as "nt authority\system", you have the full control, you are not limited.

Through ms-dos prompt we noticed we had been granted with "nt authority\system" privileges which makes sense having so, to perform the recovery operation, but it's too easily for anyone to abuse them providing he has casual physical access (eg in environments such as libraries, universities, offices, reception front desks etc; I will leave your imagination from this point to work:)

The above scenario is also valid if you boot the workstation using the Windows 7 Repair Disc (condition #2 "Workstation with BIOS settings to restrict boot up from CD" should not be met), at some point a Windows "System Recovery Options" dialog box will prompt you to "Load Drivers" use that option to nagivate the OS and own the host.

General note: If you enter Recovery Mode by pressing F9->F8->Repair Your Computer at boot time you will not be able to reproduce the process, as Windows WILL prompt you for credentials. You have to cause an abnormal shutdown (killing windows loading process will also do), or use the Windows 7 Repair Disc.

As probably others may agree with me, "nt authority\system" access should not be so easy given (or acquired by default, design, whatever, name it), at a minimum a password prompt or other control should exist to prevent the ownage.