Hot keys permissions bypass under XP

From: Charles Chear (charles.chearat_private)
Date: Mon Dec 17 2001 - 11:24:33 PST

Next message: Microsoft: "Microsoft Security Notification Service"

Previous message: bugtraq: "New Advisory + Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vendor: Microsoft
Product: XP Home Edition (and others?)
Specifics: Initial Login

Vulnerability Briefing: "Hot keys" allow non-administrative users to execute
Administrator owned applications which are not usually accessible to them.

Description:
Hot keys are specially created buttons (or key combinations) to launch
particular programs such as an Internet browser or word processor. Many
newer keyboards have them featured, and in my case, laptops as well.

When XP is initially booted, all hot keys are disabled until actual
authentication of the administrator or first account. Once logged in, hot
keys are then enabled for use, usually by the initialization of a program
in the backround which assigns these hot keys.

In some cases, such as a time of idle, XP will put itself back to the login
screen for security purposes. This will require users to re-authenticate to
get back to their current session, whether password protected or not.

At this point, without logging in, and as long as the user session is still
alive, any local user has the ability to start any program assigned to the
hot key -- no matter what permissions.

This leads to a host of situations where the range of results could be just
merely an annoyance (dozens of browsers open) or actual exploitation. Local
users could execute an known vulnerable application (such as some sort of
daemon) and exploit it remotely as it is running under administrative
priveledges. That is, of course, if a daemon is actually assigned to the a
hot key.

There are limitations in this situation though. Hot keys are disabled once
logged in as an account besides that of the first/administrative. And to my
knowledge so far, there is not a way to get the program to execute and be
available on any desktop besides that of the first/administrative.

Fixes:
-Disable hot keys.
-Microsoft has been notified and a patch should be available soon.

Adios,
  Charles Chear
  http://www.tpgn.net


 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

"Think twice, do once." - Some Old School Chinese Proverb.
GPG: http://presto.tpgn.net/charles.asc

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Next message: Microsoft: "Microsoft Security Notification Service"
Previous message: bugtraq: "New Advisory + Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 16:04:26 PST