back to article Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Security researcher Doron Naim has cooked an attack that abuses Windows 10's Safe Mode to help hackers steal logins. The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in …

Anonymous Coward

Security 101:

If they get physical control of your machine it's no longer YOUR machine. You better hope you locked it out of the intranet or else they own that too. And every device connected to it (the computer & the network) that it (the computer) had the rights to access. Every printer, scanner, fax, coffee machine, database, email client/server, every file/print server, every employee file, HR record, et al. If the attacker can sit down at the keyboard then YOU no longer own it.

21
2
Anonymous Coward

Re: Security 101:

Created an odd situation yesterday.

iMac. System was working fine beforehand.

Problem: Unable to log into an iMac. I had applied/installed security update 2016-001 (10.11.6) manually via combo update, rebooted. Had been using a physical (non apple, 2 button) mouse and keyboard before this update, worked fine.

After install, at login screen, unable to click (left) mouse click to return focus to login.

Powered off, restarted, this time focus was showing flashing caret correctly, managed to enter password using a physically connected keyboard.

On reaching desktop, had mouse movement, but no (left) click, with a physcially connected mouse. Mouse appearing to be drawing selection boxes (signs of a held down left mouse button)

(Tested under Windows: The iMac dual boots Windows 10 1607, the physical mouse/keyboard was working correctly under Windows 10 1607)

Back in macOS: Had to use keyboard to get to System Preferences, (eventually) searched bluetooth.

It turned out, the iMac had enabled Bluetooth during the update, a Bluetooth Magic Mouse (which was switched on, on a nearby desk but stuck under paperwork, holding down the mouse click), had connected automatically to the machine.

This prevented any physical mouse from operating on the machine itself (as the magic mouse, was generating a held down left click response)

Disabled Bluetooth, rebooted, got back control.

So a Bluetooth Magic Mouse can cause havoc, if its ready to connect, during the installation of combo update Security Update 001 (10.11.6). Certainly odd, though, luckily I guessed it might be to do with bluetooth and a nearby device.

i.e. A malicious sellotaped down (or in this case a paperwork held down) click button, bluetooth magic mouse seems to have the ability to cause havoc.

Still trying to piece together how it all came about though.

14
1

Re: Security 101:

> "Still trying to piece together how it all came about though."

Because "it just works". Not a bug, but a feature, whether you wanted it or not.

9
2
Anonymous Coward

Re: Security 101:

Yep, Apple loves throwing you (and "priority" devices) over into this walled garden.

A {remotely operated} Bluetooth Magic Mouse has priority over a physically connected generic usb mouse, who'd have thought?, only Apple.

13
2
Anonymous Coward

Re: Security 101:

No security 101 is "Confidentially, Integrity and Availability", "least privilege" and "It depends".

The idea that if the attacker can touch the device they win is a load of crap and you just don't how to defend your assets.

What about the insder threat?

What if an employee gets mugged?

What about the evil maid?

If you build a device you have to mitigate against all of these and more. When it falls into the wrong hands it should be either an encrypted brick or stuck in some limited user mode.

At the very least you should keep going until the pentesters can't privilege escalate. Disabling safe mode is just one of many things you have to do.

2
4
Silver badge

Re: Security 101:

"If they get physical control of your machine it's no longer YOUR machine."

If they get physical access they think it's their machine. Of course it's still running W10...

14
1
Silver badge

Re: Security 101:need to have access to a PC

Game over if an evil entity has physical machine access. I stopped reading after that. I used to have linux OS CD with a program that could change the password on an NT account. It was amazing how often I had to legitimately use it for clients.

Once I was called to "fix" a dead class room. The RAM and HDD had been stolen from every PC!

7
0
Silver badge

Re: Security 101:

Well, lost/stolen devices happen. I'm curious if the problem/exploit also relied on MS sign in (so anyone can just login in if connected to some network). Once in they trigger restart into the safe mode (this can be accomplished in other ways) and pick saved creds that not only give them access to local content but also to cloud stuff (if the legit owner was not quick to react and change the password online). Unintended consequences of pushing "sign in with MS accout" so excuse that "Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine." may be weak.

2
0

Re: Bluetooth mouse on mac

Had something similar happen to me too: I was called in to someone's home who was having trouble with their mac bluetooth mouse, which wasn't working right. I can't remember the specifics, but plugging in a USB mouse seemed to work but not his apple wireless mouse - eventually I discovered that as far as I could tell, unless he had a hidden mouse somewhere, his mac had actually connected to his neighbour's mouse in the house next door!

5
0
Anonymous Coward

At the AC, Re: Security 101:

You can lock down the machine until you're blue in the face & happy as a pig in shit. Unfortunately for you it won't last the time it takes the scumbag sitting at the keyboard to remove the hard drive, clone it to another system, & run linux across it. Poof no more security since none of your security measures make a damn bit of difference to any OS not the one you locked down. Once they've broken the clone they replace the original drive, log in with your admin password, & you can kiss your network goodbye.

We've been able to get, reset, & change Windows passwords by simply booting to any one of hundreds "Security" or "System Fix" style LiveCD environments for decades. You can remove the CD so we can't use that avenue but then we can remove the drive to a different machine that does. You can lock out the USB so we can't boot to a thumb drive, but then we can move the hard drive to a different system that does. Once we have the hard drive it's no longer YOUR drive to control. Once we have the machine it's no longer YOUR machine to control. We own it, we own you, & we'll own your network if the machine contains the credentials to access your infrastructure.

"But no user's system would contain those credentials!" Fine. We'll just steal YOUR machine that does. Now the network thinks we're you since we have all your passwords. Now let's see what havoc we can cause shall we?

The number one lesson in any security situation is to prevent physical access to the machine. Your OS security means sweet fuck all if I can get my hands on your computer because it's no longer yours to control. It won't matter a butterfly's fart in a tornado that you've locked the OS down into Orwellian levels of Big Brother paranoia if I can simply remove the drive, clone it elsewhere, & attack the clone until it breaks. I can then take the facts learned from the broken security drive, apply them to the original drive in a nondestructive way, & walk through your security measures like I belong there doing it.

You can vote me down all you like, that's fine, but it doesn't change the fact that all your security means zip if the miscreant has physical access to the device.

0
0
Silver badge

Re: Security 101:

>A {remotely operated} Bluetooth Magic Mouse has priority over a physically connected generic usb mouse, who'd have thought?, only Apple.

Huh? Who was talking about priority ? Both mice are equal, one appears to be holding down the left mouse button, which means that that "control button" is inoperable on the other mouse. You can invert both mice ... same thing. You get the same on Windows, BTW.

What commen@rd is complaining about is that the combo update enables bluetooth for him, while he is goddam sure he had it disabled before he installed combo update ... might be so, I dunno - he left a wireless mouse set to "on" under a pile of paper ... not too sure if that is a sign of trustworthiness ... but hey!

1
0
Bronze badge

Re: At the AC, Security 101:

Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

0
0
Silver badge

The fun never ends

Win 10, a never ending source of fun.

Not.

10
5
Silver badge
Happy

Re: The fun* never ends

* Other fun may be available.

5
1
Silver badge

Re: Win 10, a never ending source of fun.

Because other OSs are secure if a hacker gets physical access?

9
1

Re: The fun never ends

Seems a lot of effort to go through when 10 seconds unattended can see you plug in a USB keylogger between PC and keyboard. Which works on any OS as far as I'm aware.

5
0
Silver badge

Yay for Billywindows...

NOT.

So all PC's need to be physically secured as well? Wot a bugger.

derp durr.

2
6

Once you open the door, all bets are off

Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine

I.e. "...once they pwn you, then they can pwn you a different way too!"?

Yeah, I can see why MS want to address other concerns first. The interesting bit is how to gain local admin privs. Most of us assumes that you can do some pretty gnarly things once there. That is precisely why we want to avoid letting anyone gain local admin privs in the first place.

If these researchers could demonstrate to elevate from guest to admin, then I am fairly sure MS would respond with haste.

Best regards,

Captain Obvious (This message has been signed. If my signature does not show up, visit the following URL and supply your local admin account name and password: http://letmepwnyou.silly/ Your contribution will be mentioned in my security research paper entitled "lazy hacks from the frontier")

6
0
Anonymous Coward

Parable: The Return of the Prodical Son.

Microsoft's Joe Belfiore will be back soon to solve all our problems!

(Welcome him back with open arms everyone)

With Terry Myerson playing the part of the older brother...

;)

0
0
Anonymous Coward

Re: Parable: The Return of the Prodical Son.

prodigal

1
0
Silver badge
Happy

Re: Parable: The Return of the Prodical Son.

Protological?

0
0
Anonymous Coward

Re: Parable: The Return of the Prodical Son.

proctological?

2
0
Anonymous Coward

Remote???

"remote attackers need to have access to a PC before they can spring this trap"

On which planet do 'remote attackers' have physical access to the PC? If they have physical access they aren't remote!!

10
0
Silver badge

Re: Remote???

USB memory stick(s) in the car park.

4
0
Bronze badge

Re: Remote???

Insider threats... which are approximately 18% of attacks corporate networks face.

0
0
Anonymous Coward

Yes, I meant prodigal. (Sorry Terry! Be easy on him)

0
0

NEWS JUST IN...

Having physical access and local administrative permissions on a machine allows leet crackers to perform actions that compromise other users.

5
0

Ctrl-Alt-Del

How exactly does this work around the requirement to press Ctrl-Alt-Del before entering your password? That's always intercepted by the system, even in Safe Mode.

0
0

Re: Ctrl-Alt-Del

Not everyone has this turned on as a requirement, especially if it's not connected to a domain, it's not turned on by default. And few people would think/know to try ctrl-alt-del if they don't normally have to. Or indeed, even if they normally do ctrl-alt-del they may not think to do it if it doesn't ask.

3
0

Requires local admin = not a vulnerability

If you have local admin you can install a keylogger into the regular mode, you don't need safe mode.

You can also read password hashes straight out of the registry. Because you own the SAM. This includes cached hashes[*[ from recent logins

Seriously who vets these stories?

[*] that's what enables you to log in using your domain credentials while not connected to the network

4
1
Silver badge

The problem with this hack...

...is getting to Safe Mode in Windows 10 in the first place.

Just dump the crappy Fast Boot and give us the simple F8 option back please.

I love a lot of the MS instructions gleefully telling you to easily use Safe Mode via the settings menu. Yeah well if I could get to the Settings menu I wouldn't need Safe Mode...

12
0

Correction:

'Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine.'

Microsoft will not fix the attack vector since it depends on your telemetry to target more pop-up adverts to your desktop and into your browser. FTFY.

1
4
Silver badge
Thumb Up

Encrypted HD, right?

Can't boot into Safe Mode if you can't access the Windows files.

0
0
Gold badge

Re: Encrypted HD, right?

On a sane system, the files needed to boot up the system and the files containing personal information would be kept separate, allowing you to encrypt the volume containing the latter without having to encrypt the volume containing the former.

2
0

Re: Encrypted HD, right?

physical access required therefore we can just add this to the myriad of other ways in for a physical attacker.

I'd still like to see this fixed though, a modern OS should be as hardened as possible and kept up to date as often as required. I'm currently watching a documentary on nation state hacking, zero day, it's very good but the length of time that zero day vulnerabilities go undetected and the even when they are detected MS are sluggish to respond, is worrying.

1
0
Bronze badge

Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

0
0

I had all the best intentions in the world to keep reading, but i got as far as

The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in that environment."

and switched off.

Riiight so they need direct hardware access BEFORE this is possible.....games already over then if they have direct hardware access, rendering this further exploit pointless.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018