Jump to content

Possible open hole in Windows XP?


Recommended Posts

Posted

I'm more worried about the copying of the CMD.EXE to SETHC.EXE Even if you remove Accesibility Tools in Add/Remove, SETHC.EXE should remain because it is needed for Desktop Themes, I think.

Posted
This information is about a year old, so, is it still valid? Because a lot of what it says makes sense.

 

http://forum.s-t-d.org/viewtopic.php?id=2116

Interesting. It does the same with Win2K. What?s even more interesting (to me anyway) is that it also brings up basically the same requester with Mandriva Linux. An industry standard perhaps?

 

What remains obvious though is that if you (the nefarious hacker) want to break into a windows box using the above method, you need to be physically sitting in front of it before proceeding to do all the fancy things explained in the forum. If you?re already sitting in front of it, it?d be easier to change (or remove) the admin password allowing you full access to everything without farting around too much. I?ve used a tool called ?Offline NT Password & Registry Editor? a few times when people have given me their machines to look at without supplying the admin password to get into it. The program itself is a few years old but it still works and it?s simple to use.

 

http://home.eunet.no/~pnordahl/ntpasswd/

Posted

Yeah, I noticed that. Basically, you'd need to be at the keyboard to execute it as listed, but, my thinking was if it could be exploited thusly: the payload is designed to represent itself as a system update. It flags sethc.exe to be updated, initiates a call for restart, then, on restart, but, before Windows loads, the update of sethc.exe occurs with a copy of cmd.exe Then, a cmd instance is initiated minimized on start of Windows, with piped code sent to the prompt to add a new user or users. It would then be added at the current signed in level, which would be System according to what I read.

Posted
Yeah, I noticed that. Basically, you'd need to be at the keyboard to execute it as listed, but, my thinking was if it could be exploited thusly: the payload is designed to represent itself as a system update. It flags sethc.exe to be updated, initiates a call for restart, then, on restart, but, before Windows loads, the update of sethc.exe occurs with a copy of cmd.exe Then, a cmd instance is initiated minimized on start of Windows, with piped code sent to the prompt to add a new user or users. It would then be added at the current signed in level, which would be System according to what I read.

 

I?m no expert but that sounds logical. Possibly even with a special boot code that executes upon startup. Something like a fake ram drive (or whatever the hell it is) that programs like Partition Magic use when altering the C: drive. It?s way out of my league in any event. The only saving grace for computer illiterates (like most of us), would be a decent firewall like ZoneAlarm that watches for new files or changes in old files wanting access to the outside world. This would have to be disabled also. Logically, unless the firewall was disabled (which BTW is the first process started by windows AFAIK), traffic from outside would be unable to pass through the firewall filters. Not to mention getting past the router (which is mandatory these days) if one is available which doesn?t sound easy. I suppose if all this was accomplished, the victim?s computer would also need to have remote management enabled. Dunno. Just my thoughts. I might be way off. An expert opinion would be nice. L_UK?

Posted

Christ, shamus, all this stuff I'm learning from you guys................ think I'll go underground soon....... :ph34r::ph34r: The masked kevdriver.......... :lol: In all seriousness though, the guy that wrote that app is one clever dude. Worrying though if someone wanted to use it for other means then a productive one . Then again if someone thought that way he probabley would have already the knowledge to do what this app does anyways.

 

 

 

At least if one of the guys at work gives me his/her computer to work on but fails to give me a admin password.................. no problem now............. :thumbup::lol:

Posted
The masked kevdriver.......... :lol:

:lol:

In all seriousness though, the guy that wrote that app is one clever dude. Worrying though if someone wanted to use it for other means then a productive one . Then again if someone thought that way he probabley would have already the knowledge to do what this app does anyways.
Agreed. I?d kill to be half as talented. Knowing there are people out there that find ways around the security of operating systems is the primary reason I don?t do online banking. The convenience versus the risk just isn?t worth it. It?s an eye opener seeing what clever people are capable of.

 

At least if one of the guys at work gives me his/her computer to work on but fails to give me a admin password.................. no problem now............. :thumbup::lol:

It?s one of those ?must have? tools and a very impressive piece of programming. To me it is anyway.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.