Hello once again internet, today I wanted to talk about a pretty old hack that I’m sure most of you are already familiar with: using a windows install USB stick to gain a privileged command line.
Now if you were like me then this hack might have been one of the first that you performed on an actual production system. Whether it was your own system and you just were curious to see if it would work or if like me you had a friend who forgot their password after changing it and said “Hey you’re a hacker right? Can you help me get back into my laptop.”.
The simplicity of this exploit allows even script kiddies to gain control over a windows system provided that they have physical access, this raises the question why hasn’t Microsoft patched this exploit? Today I seek to answer that question, first we are going to look at just how this vulnerability can be exploited and then we are going to look at how it can be prevented, then I’ll share my thoughts on why I think Microsoft hasn’t patched it.
Where this vulnerability really shines is in how simple and easy to use it is, you need 2 things, A windows install loaded onto a USB flash drive and physical access to the target machine. Once you boot to the flash drive you can use a keyboard shortcut to bring up a command line, next you replace one of the executables in the system32 folder with cmd.exe or ftp.exe, restart the computer and boot into the OS and then launch the executable either via keyboard shortcut or by the GUI. This brings up a privileged command line and then you own the system. For an in depth guide I recommend checking out this guide from TrustedSec.
Now lets talk about prevention, this is a relatively easy attack to prevent the obvious solution being secure the machine against physical access. However for use cases where this is infeasible the next step is to disable USB ports or use a bootlocker, if the attacker cant boot from the usb drive or change the executable names then they cant exploit this vulnerability. The third option is anti virus signatures/definitions, tellingly windows even has signatures that allow windows defender to block certain renamed executables preventing this Trojan from occurring however not all combinations are blocked.
Building on that last point lets talk about why this still works, although some combinations of filename/executable are blocked from running Microsoft has allowed some to still function including my personal favorite changing magnify.exe to ftp.exe. Personally I believe this was intentional on Microsoft’s part as there are advantages to leaving a backdoor in windows.
My reasoning is twofold, first because of the numerous ways to prevent such and attack and that it requires physical access I doubt that large organizations are putting pressure on Microsoft for a fix as this will mainly effect end users and personal systems. This allows legitimate technicians and state sponsored intelligence agencies/law enforcement access into these personal devices. And second because this is a well known vulnerability Threat Actors are more likely to attempt this attack instead of looking for other vulnerabilities that leverage physical access, this gives Microsoft and security researchers time to find and address these vulnerabilities before they can be exploited in the wild.
Now I should state that I currently have no affiliation with Microsoft and that I would personally disagree that the vulnerability should be intentionally allowed to remain, however I do feel that Microsoft’s actions or rather inaction in this case is not an example of ignorance but instead is a strategic move on the part of Microsoft.
Let me know your thoughts in the comments down below, and until next time this is your resident Script Kitty signing off.