back to article Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Security researcher Doron Naim has cooked an attack that abuses Windows 10's Safe Mode to help hackers steal logins. The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in …

  1. Anonymous Coward
    Anonymous Coward

    Security 101:

    If they get physical control of your machine it's no longer YOUR machine. You better hope you locked it out of the intranet or else they own that too. And every device connected to it (the computer & the network) that it (the computer) had the rights to access. Every printer, scanner, fax, coffee machine, database, email client/server, every file/print server, every employee file, HR record, et al. If the attacker can sit down at the keyboard then YOU no longer own it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security 101:

      Created an odd situation yesterday.

      iMac. System was working fine beforehand.

      Problem: Unable to log into an iMac. I had applied/installed security update 2016-001 (10.11.6) manually via combo update, rebooted. Had been using a physical (non apple, 2 button) mouse and keyboard before this update, worked fine.

      After install, at login screen, unable to click (left) mouse click to return focus to login.

      Powered off, restarted, this time focus was showing flashing caret correctly, managed to enter password using a physically connected keyboard.

      On reaching desktop, had mouse movement, but no (left) click, with a physcially connected mouse. Mouse appearing to be drawing selection boxes (signs of a held down left mouse button)

      (Tested under Windows: The iMac dual boots Windows 10 1607, the physical mouse/keyboard was working correctly under Windows 10 1607)

      Back in macOS: Had to use keyboard to get to System Preferences, (eventually) searched bluetooth.

      It turned out, the iMac had enabled Bluetooth during the update, a Bluetooth Magic Mouse (which was switched on, on a nearby desk but stuck under paperwork, holding down the mouse click), had connected automatically to the machine.

      This prevented any physical mouse from operating on the machine itself (as the magic mouse, was generating a held down left click response)

      Disabled Bluetooth, rebooted, got back control.

      So a Bluetooth Magic Mouse can cause havoc, if its ready to connect, during the installation of combo update Security Update 001 (10.11.6). Certainly odd, though, luckily I guessed it might be to do with bluetooth and a nearby device.

      i.e. A malicious sellotaped down (or in this case a paperwork held down) click button, bluetooth magic mouse seems to have the ability to cause havoc.

      Still trying to piece together how it all came about though.

      1. MrDamage

        Re: Security 101:

        > "Still trying to piece together how it all came about though."

        Because "it just works". Not a bug, but a feature, whether you wanted it or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security 101:

          Yep, Apple loves throwing you (and "priority" devices) over into this walled garden.

          A {remotely operated} Bluetooth Magic Mouse has priority over a physically connected generic usb mouse, who'd have thought?, only Apple.

          1. Hans 1 Silver badge

            Re: Security 101:

            >A {remotely operated} Bluetooth Magic Mouse has priority over a physically connected generic usb mouse, who'd have thought?, only Apple.

            Huh? Who was talking about priority ? Both mice are equal, one appears to be holding down the left mouse button, which means that that "control button" is inoperable on the other mouse. You can invert both mice ... same thing. You get the same on Windows, BTW.

            What commen@rd is complaining about is that the combo update enables bluetooth for him, while he is goddam sure he had it disabled before he installed combo update ... might be so, I dunno - he left a wireless mouse set to "on" under a pile of paper ... not too sure if that is a sign of trustworthiness ... but hey!

      2. Jonathan Smythe

        Re: Bluetooth mouse on mac

        Had something similar happen to me too: I was called in to someone's home who was having trouble with their mac bluetooth mouse, which wasn't working right. I can't remember the specifics, but plugging in a USB mouse seemed to work but not his apple wireless mouse - eventually I discovered that as far as I could tell, unless he had a hidden mouse somewhere, his mac had actually connected to his neighbour's mouse in the house next door!

    2. Anonymous Coward
      Anonymous Coward

      Re: Security 101:

      No security 101 is "Confidentially, Integrity and Availability", "least privilege" and "It depends".

      The idea that if the attacker can touch the device they win is a load of crap and you just don't how to defend your assets.

      What about the insder threat?

      What if an employee gets mugged?

      What about the evil maid?

      If you build a device you have to mitigate against all of these and more. When it falls into the wrong hands it should be either an encrypted brick or stuck in some limited user mode.

      At the very least you should keep going until the pentesters can't privilege escalate. Disabling safe mode is just one of many things you have to do.

      1. Anonymous Coward
        Anonymous Coward

        At the AC, Re: Security 101:

        You can lock down the machine until you're blue in the face & happy as a pig in shit. Unfortunately for you it won't last the time it takes the scumbag sitting at the keyboard to remove the hard drive, clone it to another system, & run linux across it. Poof no more security since none of your security measures make a damn bit of difference to any OS not the one you locked down. Once they've broken the clone they replace the original drive, log in with your admin password, & you can kiss your network goodbye.

        We've been able to get, reset, & change Windows passwords by simply booting to any one of hundreds "Security" or "System Fix" style LiveCD environments for decades. You can remove the CD so we can't use that avenue but then we can remove the drive to a different machine that does. You can lock out the USB so we can't boot to a thumb drive, but then we can move the hard drive to a different system that does. Once we have the hard drive it's no longer YOUR drive to control. Once we have the machine it's no longer YOUR machine to control. We own it, we own you, & we'll own your network if the machine contains the credentials to access your infrastructure.

        "But no user's system would contain those credentials!" Fine. We'll just steal YOUR machine that does. Now the network thinks we're you since we have all your passwords. Now let's see what havoc we can cause shall we?

        The number one lesson in any security situation is to prevent physical access to the machine. Your OS security means sweet fuck all if I can get my hands on your computer because it's no longer yours to control. It won't matter a butterfly's fart in a tornado that you've locked the OS down into Orwellian levels of Big Brother paranoia if I can simply remove the drive, clone it elsewhere, & attack the clone until it breaks. I can then take the facts learned from the broken security drive, apply them to the original drive in a nondestructive way, & walk through your security measures like I belong there doing it.

        You can vote me down all you like, that's fine, but it doesn't change the fact that all your security means zip if the miscreant has physical access to the device.

        1. Aodhhan

          Re: At the AC, Security 101:

          Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

          The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

    3. Doctor Syntax Silver badge

      Re: Security 101:

      "If they get physical control of your machine it's no longer YOUR machine."

      If they get physical access they think it's their machine. Of course it's still running W10...

    4. Mage Silver badge

      Re: Security 101:need to have access to a PC

      Game over if an evil entity has physical machine access. I stopped reading after that. I used to have linux OS CD with a program that could change the password on an NT account. It was amazing how often I had to legitimately use it for clients.

      Once I was called to "fix" a dead class room. The RAM and HDD had been stolen from every PC!

    5. joed

      Re: Security 101:

      Well, lost/stolen devices happen. I'm curious if the problem/exploit also relied on MS sign in (so anyone can just login in if connected to some network). Once in they trigger restart into the safe mode (this can be accomplished in other ways) and pick saved creds that not only give them access to local content but also to cloud stuff (if the legit owner was not quick to react and change the password online). Unintended consequences of pushing "sign in with MS accout" so excuse that "Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine." may be weak.

  2. ecofeco Silver badge

    The fun never ends

    Win 10, a never ending source of fun.

    Not.

    1. hplasm Silver badge
      Happy

      Re: The fun* never ends

      * Other fun may be available.

    2. sabroni Silver badge

      Re: Win 10, a never ending source of fun.

      Because other OSs are secure if a hacker gets physical access?

    3. Sebastian A

      Re: The fun never ends

      Seems a lot of effort to go through when 10 seconds unattended can see you plug in a USB keylogger between PC and keyboard. Which works on any OS as far as I'm aware.

  3. Anonymous South African Coward Silver badge

    Yay for Billywindows...

    NOT.

    So all PC's need to be physically secured as well? Wot a bugger.

    derp durr.

  4. 9Rune5 Silver badge

    Once you open the door, all bets are off

    Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine

    I.e. "...once they pwn you, then they can pwn you a different way too!"?

    Yeah, I can see why MS want to address other concerns first. The interesting bit is how to gain local admin privs. Most of us assumes that you can do some pretty gnarly things once there. That is precisely why we want to avoid letting anyone gain local admin privs in the first place.

    If these researchers could demonstrate to elevate from guest to admin, then I am fairly sure MS would respond with haste.

    Best regards,

    Captain Obvious (This message has been signed. If my signature does not show up, visit the following URL and supply your local admin account name and password: http://letmepwnyou.silly/ Your contribution will be mentioned in my security research paper entitled "lazy hacks from the frontier")

  5. Anonymous Coward
    Anonymous Coward

    Parable: The Return of the Prodical Son.

    Microsoft's Joe Belfiore will be back soon to solve all our problems!

    (Welcome him back with open arms everyone)

    With Terry Myerson playing the part of the older brother...

    ;)

    1. Anonymous Coward
      Anonymous Coward

      Re: Parable: The Return of the Prodical Son.

      prodigal

      1. hplasm Silver badge
        Happy

        Re: Parable: The Return of the Prodical Son.

        Protological?

        1. Anonymous Coward
          Anonymous Coward

          Re: Parable: The Return of the Prodical Son.

          proctological?

  6. Anonymous Coward
    Anonymous Coward

    Remote???

    "remote attackers need to have access to a PC before they can spring this trap"

    On which planet do 'remote attackers' have physical access to the PC? If they have physical access they aren't remote!!

    1. Dan 55 Silver badge

      Re: Remote???

      USB memory stick(s) in the car park.

    2. Aodhhan

      Re: Remote???

      Insider threats... which are approximately 18% of attacks corporate networks face.

  7. Anonymous Coward
    Anonymous Coward

    Yes, I meant prodigal. (Sorry Terry! Be easy on him)

  8. LewisRage

    NEWS JUST IN...

    Having physical access and local administrative permissions on a machine allows leet crackers to perform actions that compromise other users.

  9. Buzzword

    Ctrl-Alt-Del

    How exactly does this work around the requirement to press Ctrl-Alt-Del before entering your password? That's always intercepted by the system, even in Safe Mode.

    1. Jonathan Smythe

      Re: Ctrl-Alt-Del

      Not everyone has this turned on as a requirement, especially if it's not connected to a domain, it's not turned on by default. And few people would think/know to try ctrl-alt-del if they don't normally have to. Or indeed, even if they normally do ctrl-alt-del they may not think to do it if it doesn't ask.

  10. Ben Liddicott

    Requires local admin = not a vulnerability

    If you have local admin you can install a keylogger into the regular mode, you don't need safe mode.

    You can also read password hashes straight out of the registry. Because you own the SAM. This includes cached hashes[*[ from recent logins

    Seriously who vets these stories?

    [*] that's what enables you to log in using your domain credentials while not connected to the network

  11. jason 7 Silver badge

    The problem with this hack...

    ...is getting to Safe Mode in Windows 10 in the first place.

    Just dump the crappy Fast Boot and give us the simple F8 option back please.

    I love a lot of the MS instructions gleefully telling you to easily use Safe Mode via the settings menu. Yeah well if I could get to the Settings menu I wouldn't need Safe Mode...

  12. simonlb Silver badge

    Correction:

    'Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine.'

    Microsoft will not fix the attack vector since it depends on your telemetry to target more pop-up adverts to your desktop and into your browser. FTFY.

  13. Tikimon
    Thumb Up

    Encrypted HD, right?

    Can't boot into Safe Mode if you can't access the Windows files.

    1. Ken Hagan Gold badge

      Re: Encrypted HD, right?

      On a sane system, the files needed to boot up the system and the files containing personal information would be kept separate, allowing you to encrypt the volume containing the latter without having to encrypt the volume containing the former.

      1. bexley

        Re: Encrypted HD, right?

        physical access required therefore we can just add this to the myriad of other ways in for a physical attacker.

        I'd still like to see this fixed though, a modern OS should be as hardened as possible and kept up to date as often as required. I'm currently watching a documentary on nation state hacking, zero day, it's very good but the length of time that zero day vulnerabilities go undetected and the even when they are detected MS are sluggish to respond, is worrying.

  14. Aodhhan

    Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

    The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

  15. Mandoscottie

    I had all the best intentions in the world to keep reading, but i got as far as

    The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in that environment."

    and switched off.

    Riiight so they need direct hardware access BEFORE this is possible.....games already over then if they have direct hardware access, rendering this further exploit pointless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020