I’ve recently taken part in a Cyber War Games event where I learnt quite a lot about a variety of things. One of the more interesting things was the Sticky Keys exploit on Windows.
For those that don’t know, Sticky Keys is an accessibility feature in Windows that allows the user to press and release modifier keys (Ctrl, Shift, Alt etc) rather than have to hold them. It can be activated at any time by pressing Shift 5 times.
The vulnerability isn’t actually with the Sticky Keys executable itself, but more the fact that Windows will just launch the executable when Shift is press 5 times, meaning that it can be replaced with another executable such as
cmd.exe. It’s also run as the
SYSTEM user from the logon page which means you’d get a command prompt at the
SYSTEM user, allowing you to perform a variety of other commands.
For this vulnerability to work, the attacker first needs physical access the to computer. In this demo, I’ll use a Kali Linux Live USB stick on a Windows 10 Laptop.
Insert the Kali Live USB and boot to it. Next we need to mount the Windows partition using
ntfs-3g (Install it if you don’t have it already, but it comes bundled with Kali). You can use
fdisk -l to list all the connected disk drives and their partition.
[email protected]:~# mkdir -p /mnt/win10 [email protected]:~# ntfs-3g /dev/sda2 /mnt/win10 [email protected]:~# cd /mnt/win10
Now that we have the Windows partition mounted we then need to make a backup of the Sticky Keys executable and replace the original with
[email protected]:/mnt/win10# cp Windows/System32/sethc.exe Windows/System32/sethc_1.exe [email protected]:/mnt/win10# cp Windows/System32/cmd.exe Windows/System32/sethc.exe
Now shutdown, remove the Kali Live USB and boot up again in to Windows.
On the Password Entry screen, press shift 5 times and you should be given a command prompt. From here you can change existing users, add new users, add people to groups such as Administrator and lots more.
To prevent this particular vulnerability you can do several things but I’d advise all of them if you want to be really secure…
Disable Sticky Keys
You can disable this from the Sticky Keys app itself or in your control panel. It should prevent Windows from launching the app.
Disable booting from USB Devices
This won’t work if someone physically removes your drive and plugs it in elsewhere, but at least it offers protection from someone walking up and performing this exploit.
Password Protect the BIOS
Combined with the above, it means that no one can make changes to your BIOS settings without knowning the password.
Encrypt your Windows drive
You can use the built in BitLocker with Windows to protect the data on your drive. This means that even if someone does get hold of the drive, they’ll need to break the encryption first before they can perform this exploit.