Sticky Keys

I’ve recently taken part in a Cyber War Games event where I learnt quite a lot about a variety of things. One of the more interesting things was the Sticky Keys exploit on Windows.

For those that don’t know, Sticky Keys is an accessibility feature in Windows that allows the user to press and release modifier keys (Ctrl, Shift, Alt etc) rather than have to hold them. It can be activated at any time by pressing Shift 5 times.

The vulnerability isn’t actually with the Sticky Keys executable itself, but more the fact that Windows will just launch the executable when Shift is press 5 times, meaning that it can be replaced with another executable such as cmd.exe. It’s also run as the SYSTEM user from the logon page which means you’d get a command prompt at the SYSTEM user, allowing you to perform a variety of other commands.

Exploiting

For this vulnerability to work, the attacker first needs physical access the to computer. In this demo, I’ll use a Kali Linux Live USB stick on a Windows 10 Laptop.

Insert the Kali Live USB and boot to it. Next we need to mount the Windows partition using ntfs-3g (Install it if you don’t have it already, but it comes bundled with Kali). You can use fdisk -l to list all the connected disk drives and their partition.

[email protected]:~# mkdir -p /mnt/win10
[email protected]:~# ntfs-3g /dev/sda2 /mnt/win10
[email protected]:~# cd /mnt/win10

Now that we have the Windows partition mounted we then need to make a backup of the Sticky Keys executable and replace the original with cmd.exe.

[email protected]:/mnt/win10# cp Windows/System32/sethc.exe Windows/System32/sethc_1.exe
[email protected]:/mnt/win10# cp Windows/System32/cmd.exe Windows/System32/sethc.exe

Now shutdown, remove the Kali Live USB and boot up again in to Windows.
On the Password Entry screen, press shift 5 times and you should be given a command prompt. From here you can change existing users, add new users, add people to groups such as Administrator and lots more.

Prevention

To prevent this particular vulnerability you can do several things but I’d advise all of them if you want to be really secure…

Disable Sticky Keys

You can disable this from the Sticky Keys app itself or in your control panel. It should prevent Windows from launching the app.

Disable booting from USB Devices

This won’t work if someone physically removes your drive and plugs it in elsewhere, but at least it offers protection from someone walking up and performing this exploit.

Password Protect the BIOS

Combined with the above, it means that no one can make changes to your BIOS settings without knowning the password.

Encrypt your Windows drive

You can use the built in BitLocker with Windows to protect the data on your drive. This means that even if someone does get hold of the drive, they’ll need to break the encryption first before they can perform this exploit.