Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack Security researcher Doron Naim has cooked an attack that abuses Windows 10's Safe Mode to help hackers steal logins. The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in …
If they get physical control of your machine it's no longer YOUR machine. You better hope you locked it out of the intranet or else they own that too. And every device connected to it (the computer & the network) that it (the computer) had the rights to access. Every printer, scanner, fax, coffee machine, database, email client/server, every file/print server, every employee file, HR record, et al. If the attacker can sit down at the keyboard then YOU no longer own it.
Created an odd situation yesterday.
iMac. System was working fine beforehand.
Problem: Unable to log into an iMac. I had applied/installed security update 2016-001 (10.11.6) manually via combo update, rebooted. Had been using a physical (non apple, 2 button) mouse and keyboard before this update, worked fine.
After install, at login screen, unable to click (left) mouse click to return focus to login.
Powered off, restarted, this time focus was showing flashing caret correctly, managed to enter password using a physically connected keyboard.
On reaching desktop, had mouse movement, but no (left) click, with a physcially connected mouse. Mouse appearing to be drawing selection boxes (signs of a held down left mouse button)
(Tested under Windows: The iMac dual boots Windows 10 1607, the physical mouse/keyboard was working correctly under Windows 10 1607)
Back in macOS: Had to use keyboard to get to System Preferences, (eventually) searched bluetooth.
It turned out, the iMac had enabled Bluetooth during the update, a Bluetooth Magic Mouse (which was switched on, on a nearby desk but stuck under paperwork, holding down the mouse click), had connected automatically to the machine.
This prevented any physical mouse from operating on the machine itself (as the magic mouse, was generating a held down left click response)
Disabled Bluetooth, rebooted, got back control.
So a Bluetooth Magic Mouse can cause havoc, if its ready to connect, during the installation of combo update Security Update 001 (10.11.6). Certainly odd, though, luckily I guessed it might be to do with bluetooth and a nearby device.
i.e. A malicious sellotaped down (or in this case a paperwork held down) click button, bluetooth magic mouse seems to have the ability to cause havoc.
Still trying to piece together how it all came about though.
>A {remotely operated} Bluetooth Magic Mouse has priority over a physically connected generic usb mouse, who'd have thought?, only Apple.
Huh? Who was talking about priority ? Both mice are equal, one appears to be holding down the left mouse button, which means that that "control button" is inoperable on the other mouse. You can invert both mice ... same thing. You get the same on Windows, BTW.
What commen@rd is complaining about is that the combo update enables bluetooth for him, while he is goddam sure he had it disabled before he installed combo update ... might be so, I dunno - he left a wireless mouse set to "on" under a pile of paper ... not too sure if that is a sign of trustworthiness ... but hey!
Had something similar happen to me too: I was called in to someone's home who was having trouble with their mac bluetooth mouse, which wasn't working right. I can't remember the specifics, but plugging in a USB mouse seemed to work but not his apple wireless mouse - eventually I discovered that as far as I could tell, unless he had a hidden mouse somewhere, his mac had actually connected to his neighbour's mouse in the house next door!
No security 101 is "Confidentially, Integrity and Availability", "least privilege" and "It depends".
The idea that if the attacker can touch the device they win is a load of crap and you just don't how to defend your assets.
What about the insder threat?
What if an employee gets mugged?
What about the evil maid?
If you build a device you have to mitigate against all of these and more. When it falls into the wrong hands it should be either an encrypted brick or stuck in some limited user mode.
At the very least you should keep going until the pentesters can't privilege escalate. Disabling safe mode is just one of many things you have to do.
You can lock down the machine until you're blue in the face & happy as a pig in shit. Unfortunately for you it won't last the time it takes the scumbag sitting at the keyboard to remove the hard drive, clone it to another system, & run linux across it. Poof no more security since none of your security measures make a damn bit of difference to any OS not the one you locked down. Once they've broken the clone they replace the original drive, log in with your admin password, & you can kiss your network goodbye.
We've been able to get, reset, & change Windows passwords by simply booting to any one of hundreds "Security" or "System Fix" style LiveCD environments for decades. You can remove the CD so we can't use that avenue but then we can remove the drive to a different machine that does. You can lock out the USB so we can't boot to a thumb drive, but then we can move the hard drive to a different system that does. Once we have the hard drive it's no longer YOUR drive to control. Once we have the machine it's no longer YOUR machine to control. We own it, we own you, & we'll own your network if the machine contains the credentials to access your infrastructure.
"But no user's system would contain those credentials!" Fine. We'll just steal YOUR machine that does. Now the network thinks we're you since we have all your passwords. Now let's see what havoc we can cause shall we?
The number one lesson in any security situation is to prevent physical access to the machine. Your OS security means sweet fuck all if I can get my hands on your computer because it's no longer yours to control. It won't matter a butterfly's fart in a tornado that you've locked the OS down into Orwellian levels of Big Brother paranoia if I can simply remove the drive, clone it elsewhere, & attack the clone until it breaks. I can then take the facts learned from the broken security drive, apply them to the original drive in a nondestructive way, & walk through your security measures like I belong there doing it.
You can vote me down all you like, that's fine, but it doesn't change the fact that all your security means zip if the miscreant has physical access to the device.
Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.
The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.
Game over if an evil entity has physical machine access. I stopped reading after that. I used to have linux OS CD with a program that could change the password on an NT account. It was amazing how often I had to legitimately use it for clients.
Once I was called to "fix" a dead class room. The RAM and HDD had been stolen from every PC!
Well, lost/stolen devices happen. I'm curious if the problem/exploit also relied on MS sign in (so anyone can just login in if connected to some network). Once in they trigger restart into the safe mode (this can be accomplished in other ways) and pick saved creds that not only give them access to local content but also to cloud stuff (if the legit owner was not quick to react and change the password online). Unintended consequences of pushing "sign in with MS accout" so excuse that "Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine." may be weak.
Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine
I.e. "...once they pwn you, then they can pwn you a different way too!"?
Yeah, I can see why MS want to address other concerns first. The interesting bit is how to gain local admin privs. Most of us assumes that you can do some pretty gnarly things once there. That is precisely why we want to avoid letting anyone gain local admin privs in the first place.
If these researchers could demonstrate to elevate from guest to admin, then I am fairly sure MS would respond with haste.
Best regards,
Captain Obvious (This message has been signed. If my signature does not show up, visit the following URL and supply your local admin account name and password: http://letmepwnyou.silly/ Your contribution will be mentioned in my security research paper entitled "lazy hacks from the frontier")
Not everyone has this turned on as a requirement, especially if it's not connected to a domain, it's not turned on by default. And few people would think/know to try ctrl-alt-del if they don't normally have to. Or indeed, even if they normally do ctrl-alt-del they may not think to do it if it doesn't ask.
If you have local admin you can install a keylogger into the regular mode, you don't need safe mode.
You can also read password hashes straight out of the registry. Because you own the SAM. This includes cached hashes[*[ from recent logins
Seriously who vets these stories?
[*] that's what enables you to log in using your domain credentials while not connected to the network
...is getting to Safe Mode in Windows 10 in the first place.
Just dump the crappy Fast Boot and give us the simple F8 option back please.
I love a lot of the MS instructions gleefully telling you to easily use Safe Mode via the settings menu. Yeah well if I could get to the Settings menu I wouldn't need Safe Mode...
physical access required therefore we can just add this to the myriad of other ways in for a physical attacker.
I'd still like to see this fixed though, a modern OS should be as hardened as possible and kept up to date as often as required. I'm currently watching a documentary on nation state hacking, zero day, it's very good but the length of time that zero day vulnerabilities go undetected and the even when they are detected MS are sluggish to respond, is worrying.
I had all the best intentions in the world to keep reading, but i got as far as
The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in that environment."
and switched off.
Riiight so they need direct hardware access BEFORE this is possible.....games already over then if they have direct hardware access, rendering this further exploit pointless.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
