Windows Vista Vulnerable to StickyKeys Backdoor
Monday March 12, 2007 at 8:11 am CST
Posted by Vinoo Thomas
StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Sounds innocuous, right? Dead wrong!
Apparently, Windows Vista does not check the integrity of the file that launches StickyKeys “c:/windows/system32/sethc.exe” before executing it. Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate as shown in the below screenshot.
Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authority\system account. And from this point on an attacker has full access to the system.
This legacy backdoor method is not something new–Win 2000 and XP are also vulnerable. Applying the latest Windows updates insures that “sethc.exe” is protected by Windows file protection. In Vista replacing system files is a more difficult because of Trusted Installer. However, running the following two commands nullifies this.
takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F
To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using the following commands.
net user USERNAME /add
net localgroup administrators USERNAME
One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today.
Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.
Perhaps one can uninstall the Accessibility Tools feature, which is installed by default to avoid this fairly simple, yet potentially serious built-in backdoor. And don’t forget to hit the shift key five times and see what pops up on your desktop. 
March 13th, 2007 at 02:34
Sorry, I fail to see the vulnerability here. The file in question is only writable by an administrator. Regular users only have read and execute privileges on that file. So how’s this supposed to elevate my privileges? If I’m an administrator there are a lot more easier ways to gain SYSTEM.
March 13th, 2007 at 05:22
I’ve made a screencast of a similar hack with Utilman.exe:
http://didierstevens.wordpress.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/
March 13th, 2007 at 13:24
Vista and StickyKeys…
I just read this article from PCWorld about a McAfee researcher who says that StickyKeys could be used for bad by tricking users into launching unauthorized software. The attacker would have to replace the sethc.exe file with another that would be ran …
March 13th, 2007 at 13:28
>To execute the above commands successfully, it requires an
>administrator to be logged in; but a determined attacker can
>always find workarounds to exploit this built-in backdoor
Sorry, that’s rubbish. If an ‘exploit’ requires that an attacker have administrator access to the machine before you’ve even begun it is not an exploit. What is the point of a long sequence of steps that starts “get admin access” and ends with you running the code of your choice on a machine? If you have administrator access, you can ALREADY run the code of your choice on the machine, because you have administrator access! You could just put the code of your choice in the startup folder or something and forget the whole stickykeys nonsense.
Reminds me of the time everyone was blogging about an ‘exploit’ that let you change people’s login passwords in Windows XP — nonwithstanding that it only worked if you were logged in as administrator, in which case you could just do the same thing in control panel.
March 13th, 2007 at 14:09
do you have nothing better to do? This is lame. Your scenario is that someone would go to the trouble of implementing this backdoor (which requires local admin rights) and then using the resultant command prompt to create a local admin account.
But - if I already have the ability to execute the takeown & cacls commands - why go to all this trouble just to create a local admin account. There’s no point or purpose, malicious or otherwise.
March 13th, 2007 at 14:16
Weak point in logic:
“…but a determined attacker can always find workarounds to exploit this built-in backdoor. ”
How? With this question unanswered, this is just as effective as swapping explorer.exe.
March 13th, 2007 at 14:45
as Remko says I fail to see how this is a vulnerability, if you have admin access to replace the file there you already own the system and there are far simpler things you can do. This is about the equivalent of saying if your an admin you can do bad things. No shit sherlock.
March 13th, 2007 at 19:33
[...] I know… I’d laugh at the title as well… So let me clarify a few things. I’m not calling this a backdoor… I’m quoting the original post over at McAfee Avert Labs. I also don’t agree with the issue here… to put it into a single sentence, it basically says, “If I have physical administrative access to your computer, then I can get system access.” I did some testing of this on both XP and Vista (since it’s apparently a legacy “backdoor” back as far as 2000) and I’d like to shed some light on it. If this isn’t clear yet, I agree with Bill on this subject. [...]
March 14th, 2007 at 08:12
No vuln here - you’re getting admin rights by running some tools as when you’re logged on as an admin.
March 15th, 2007 at 20:52
[...] Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate,” Thomas said in a note posted on the McAfee Avert blog. [...]
March 16th, 2007 at 19:28
All you people fail to see other ways an insider can replace this file. An employee with access to the machine can boot it from BartPE or Knoppix and replace the sticky keys file. And once this is done, you have backdoor access to the box with admin right
March 19th, 2007 at 08:22
[...] Source: Computer Security Research - McAfee Avert Labs Blog [...]
March 19th, 2007 at 14:02
Caleb,
Dont have the resources to test, but would that work on an NTFS filesystem? I dont think so.
March 20th, 2007 at 01:02
[...] This vulnerability was discovered by a McAfee researcher, Vinoo Thomas. According to his blog, the StickyKeys can be modified to launch an unauthorised software when triggered. [...]
March 20th, 2007 at 07:51
“All you people fail to see other ways an insider can replace this file. An employee with access to the machine can boot it from BartPE or Knoppix and replace the sticky keys file. And once this is done, you have backdoor access to the box with admin right ”
Why admin rights? sethc.exe runs in the context of the logged in user.
March 20th, 2007 at 13:47
[...] category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « QuickTime flaw could download spyware -JS/SpaceTalk [...]
March 20th, 2007 at 18:29
You don’t get admin rights when you use this backdoor, you get SYSTEM rights. System access to a windows box is far more deadly that just admin rights.
March 21st, 2007 at 00:38
This allows an attacker with physical access to get system access, errrr I’d say that WAS a vulnerability in my world, no?
Of course it would work on the ntfs file system - this is a variant of replacing netlogon.scr with cmd.exe and eaiting for the logon screensaver to pop up, voila system level access. Boot with Knoppix and you can do either of these easily with NTFS.
March 21st, 2007 at 13:14
Caleb’s idea would work in theory. Bart PE can read NTFS, as I believe Linux can to. I recently used a Bart PE disk to mount the disks of an old server we lost admin rights to, so I could edit the registry hive to install my own service that in turn ran as localsystem and reset the admin password. It worked like a charm. Replacing a file would be no problem and easier than what I had to do.
March 21st, 2007 at 18:16
So let me get this straight. In order to execute this ‘vulnerability’ you need to have administrative rights on the system to begin with, then take ownership of a file, modify the ACL, and then replace it with a program of your choice?
This is the stupidest excuse for a vulnerability I’ve ever seen.
*This* is why I don’t use McAfee products.
March 21st, 2007 at 18:43
You can write to NFTS filesystem just fine when booted from BartPE. See http://www.nu2.nu/pebuilder/ for instructions on building one. With Knoppix you have read only permission to NTFS and it takes a command to write. Can’t remember the command off the top of my head right now.
March 24th, 2007 at 10:25
After 21 responses to this blog post, I am incredibly dismayed that nobody has pointed out the serious disadvantage of taking Vinoo’s advice for “fixing” the problem! Some users with physical disabilities really do actually need this sticky keys functionality. Accessibility features are absolutely essential for some. They are not toys! An IT administrator could actually cause a person with a disability to become unable to do their job by taking Vinoo’s advice! McAfee’s software is already rather inaccessible to blind people who rely on screen readers, so maybe this is just yet another sign of the company’s absolute ignorance of these concerns. Watch out. I’m going to post a note about this to my own blog, including a link back to this article for all to see!
March 24th, 2007 at 10:37
Hmm. How about the user with a physical disability who becomes unable to do their job once this sticky keys feature has been taken away? Vinoo’s post does not address that concern, neither do the 21 responses thus far. Amazing!
March 28th, 2007 at 14:31
This is a joke, right? Is it April 1st? Sheesh guys, if this is all you can find in Vista, then it must be pretty secure!
March 31st, 2007 at 13:18
>>How about the user with a physical disability who becomes unable to do their job once this sticky keys feature has been taken away?
agreed - folks should brush up on some law: The American’s with Disabilities Act
April 12th, 2007 at 02:29
To Mike
“So let me get this straight. In order to execute this ‘vulnerability’ you need to have administrative rights on the system to begin with, then take ownership of a file, modify the ACL, and then replace it with a program of your choice?”
NO YOU DON’T, you need to stick in a Knoppix CD and press the reset button. You need no credentails whatsoever.
This is the stupidest excuse for a vulnerability I’ve ever seen.
In that case you clearly don’t understand the issue
*This* is why I don’t use McAfee products
I’m sure McAfee support are very grateful
As for users with disabilities, yes they need access, and MS can surely patch this vulnerability to allow them to retain this feature - I doubt McAfee would produce a Vista patch, I don’t believe they are in the business of patching MS OS’s are they?
May 22nd, 2007 at 14:33
[...] McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it. Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is "cmd.exe." After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in a note posted on the McAfee Avert blog. [...]
June 11th, 2007 at 08:28
I hope that you all realise that sticky keys are extremely important to those of us who dn’t have full dexterity or sight. I am a blind person using a screen reader and although I accept there may be some vulnerability here, I cannot condone the taking away of something which makes computers accessible to those who otherwise couldnt utilise them
You may also be interested to know (if you care that is) that the fields to fill in to send this response aren’t exactly over-friendly. Thanks GJH.
August 4th, 2007 at 01:58
To everyone who is bitching about ‘you already need to have admin to do this’, that is possibly the most retarded thing ive ever heard.
I personally have a backdoor like this running on my non *nix systems just in case someone manages to change the password, it saves me a hell of a lot of time cracking the SAM file.
August 20th, 2007 at 16:05
Gaining Admin rights on a System using XP or Vista is not hard with BartPE builder Using a old build you can Null out a Admin password ( on the local side ) or creat a user with admin rights.
As for the usability. I can see some uses that this can be utalized for. This is just but one of many “Bugs” that Microsoft has in it s OS. Vista, XP . …. etc..
And as far as all the other complaints .. What if These scripts were added to a “file say jpeg” that ran as a bkgd script when you download a pic from your email. Bam your system just has had this enabled .. Now If you have any type of say vnc or any other outside access to your pc enabled then anywoodbee hacker has full “SYSTEM” privs fark admin privs your pc / server cld be down in seconds.
Just my thoughts on this matter. me I just disable the function. why leave something like this open to start with.
September 21st, 2007 at 00:37
You know… being a network engineer for a little while have thought me one thing. The fact that I have a physical and unsupervised access to the machine is a security concern for a client, for the only thing between their business being secured or unsecured is my business ethics.
Exploits that require modifications and other things are really waste of time as anyone who wants your data can obtain it very easily anyway.
I always tell my clients that if someone wants to steal their data they will drive a truck through the front door and walk away with their server, much cheaper, more efficient and less time consuming.
Kind Regards
February 21st, 2008 at 23:49
“As for the usability. I can see some uses that this can be utalized for. This is just but one of many “Bugs” that Microsoft has in it s OS. Vista, XP . …. etc..”
This is not a Microsoft specific “BUG”, you can do the same on Linux, BSD, …. PS: I’m not a M$ fans.
So the first security step is to lock your system physically.
April 7th, 2008 at 23:52
Sometimes the Stickykeys dialog box appear when no body are using the computer, as if someone had pressed 5 times the shiftkey. Will be some unauthorized external access?
May 27th, 2008 at 08:12
I see a point, as far as the exe can’t be replaced unless you have admin access.
But I have a problem with the login and loading a desktop. There should no way under any situation it being able to bypass it.
GhaFear
June 11th, 2008 at 11:56
[...] described in StickeyKeys Backdoor, you can swap sethc with cmd.exe and instead of stickey keys coming up when you hit shift five [...]
June 11th, 2008 at 12:46
WRONG!
You don’t need admin access. Pop in Auditor or backdoor linux boots and in five minutes flat you can have the ’sploit in place and running.
June 14th, 2008 at 09:20
Or, you could just turn off StickyKeys altogether. That would just about solve that problem.
June 29th, 2008 at 10:09
“an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.”
I just discovered couple of terminal servers in our university network where one could remote backdoor into using this Sticky-key backdoor method with full SYSTEM rights. So this technique is being used by bad guys and its shocking that M$ still don’t protect sethc.exe and utilman.exe with windows file protection!!!
August 26th, 2008 at 12:58
[...] en Windows Vista, como XP, 2000, y usando otras aplicaciones. Uno de estos ejemplos es el de las sticky keys, sethc.exe, comentado por uno de mis compañeros en nuestras listas. Al igual que la anterior, se [...]
November 13th, 2008 at 07:13
[...] Vista Vulnerabilities http://www.avertlabs.com/research/blog/index.php/2007/03/12/windows-vista-vulnerable-to-stickykeys-b... [...]
April 27th, 2009 at 08:13
[...] a really interesting hole in windows that has a variety of potential. I am going a bit off the original post with some added information. It seems though that a lot more people out there don’t see this [...]
May 1st, 2009 at 22:59
Works on 100% of campus computers. Kind of scary the potential information someone nefarious can get. Keylogger anyone?
May 5th, 2009 at 04:46
“Windows Vista Vulnerable to StickyKeys Backdoor”
Am I really the first one here to say, “That’s what she said!” to this??