Vista (in)Security via Back|Track

GarethDW · 11 Jun 2008 at 22:27

I saw this video over at the Back|Track site which shows just how easily a Vista box can be compromised. Admittedly, you need physical access, so the machine could be hacked any number of ways, but I was amazed that Microsoft's flagship OS is vulnerable in such a basic way... renaming cmd.exe as UtilMan.exe

http://www.offensive-security.com/movies/vistahack/vistahack.html

zetec452 · 11 Jun 2008 at 22:35

Linux can be very easily hacked with pysical access. What is your point?

NicNac · 11 Jun 2008 at 22:35

wow thats pretty damning wonder how long it will take for microsoft to sort this

GarethDW · 11 Jun 2008 at 22:46

JonRohan said:
Linux can be very easily hacked with pysical access. What is your point?

I know that a machine that someone has physical access to can be easily hacked... that's why I said so in my post.

My point is that if you're going to allow a program to run under the context of the system user regardless of a user's credentials (or lack of, in this case), then you really should make sure that nobody can replace that executable with another one of their choice.

tntcoder · 11 Jun 2008 at 22:53

Interesting little trick, while I agree anything can be done with physical access, many of these kind of attacks can and should be prevented, Microsoft need to improve their security model, which still even today has many flaws.

Una · 11 Jun 2008 at 22:59

If you have physical access to this disk you can do a similar thing in *nix (e.g just replace /bin/login). So I don't see what your point is.

GarethDW · 11 Jun 2008 at 23:46

Una said:
If you have physical access to this disk you can do a similar thing in *nix (e.g just replace /bin/login). So I don't see what your point is.

Fair enough. Didn't realise that would work in *nix, so I've just been reading up on it. Turning up some interesting info

Dj_Jestar · 12 Jun 2008 at 02:54

Physical access on *nix would infact be easier than pie with Backtrack.. mount, chroot anyone?

Oh, and if you're that interested.. download a bootable CD called "SuperUtilities" and (if you find the right one) it'll be a Gentoo based live-cd that can reset all passwords.

zetec452 · 12 Jun 2008 at 08:10

tntcoder said:
Interesting little trick, while I agree anything can be done with physical access, many of these kind of attacks can and should be prevented, Microsoft need to improve their security model, which still even today has many flaws.

Every Operating System has security flaws. Including *nix. Although I do see what you are saying and partly agree.

More people tend to poke holes in Mirosoft systems than *nix, its more fun.

TrX · 15 Jun 2008 at 00:57

GarethDW said:
Fair enough. Didn't realise that would work in *nix, so I've just been reading up on it. Turning up some interesting info

or just append 'single init=/bin/bash' to grub infact

Nice root prompt.
Then, mount -o remount,rw /
And then you can change whatever you want.
If someone has physical access to the box, you have lost

eXor · 15 Jun 2008 at 09:23

TrX said:
If someone has physical access to the box, you have lost

If someone has physical access to the box, and the entire hard drive is encrypted, they have lost.

Well, they could still open the case / keyboard and plant some sort of keylogging device or point a hidden camera at your keyboard.

AGD · 15 Jun 2008 at 09:36

eXor said:
If someone has physical access to the box, and the entire hard drive is encrypted, they have lost.

Not if your computer is on. Then they can get the key from the ram.

tntcoder · 15 Jun 2008 at 11:26

bibalasvegas said:
Not if your computer is on. Then they can get the key from the ram.

I think you would have had to have done something pretty bad in order to warrant someone going to the effort of freezing and analyzing your ram

Una · 15 Jun 2008 at 11:53

eXor said:
If someone has physical access to the box, and the entire hard drive is encrypted, they have lost.

Hardware hacking and freezing ram attacks aside. Hmm not really... there's a ton of writable memory most people don't think about. BIOS, MBR, APCI,flashable memory on your ethernet card, etc..) - All depends how much work you want to put into it. Coding rootkits for embedded chips is not trivial but there are many points you can intercept data.

Moredhel · 15 Jun 2008 at 13:21

tntcoder said:
I think you would have had to have done something pretty bad in order to warrant someone going to the effort of freezing and analyzing your ram

No need, just stick a Firewire or USB device in, both give unrestricted read access to all areas of RAM.