The hack has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. A article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
After that, the user can return to the workstation at a later time and press the SHIFT key five times (which normally invokes sticky keys) and an elevated command prompt is launched. From there, you can launch any process -- even Explorer -- and do anything you like as you would if you were logged on.
The hack has been unpatched for some time now, and appears to work in both Windows 7 and Windows Server 2008 R2. Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. Once in place, it is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.
Update: This same hack works on Windows 8 Consumer Preview at time of writing. As noted by many others, this is not really an exploit and has existed for some time now, however, it can be a little fun to try on your own workstation.
97 Comments - Add comment