[NT] Hot Key Permissions Bypass under Windows XP

From: support@securiteam.com
Date: 12/22/01

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 22 Dec 2001 08:09:48 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hot Key Permissions Bypass under Windows XP


"Hot keys" allow non-administrative users to execute Administrator owned
applications that are not usually accessible to them.


Hot keys are specially created buttons (or key combinations) to launch
particular programs such as an Internet browser or word processor. Many
newer keyboards have them featured and laptops.

When XP is initially booted, all hot keys are disabled until actual
authentication of the administrator or any other account. Once logged in,
hot keys are then enabled for use, usually by the initialization of a
program in the background that assigns these hot keys.

In some cases, such as a time of idle, XP will put itself back to the
login screen for security purposes. This will require users to
re-authenticate to get back to their current session, whether password
protected or not.

At this point, without logging in, and as long as the user session is
still alive, any local user has the ability to start any program assigned
to the hot key.

This leads to a host of situations where the range of results could be
just merely an annoyance (dozens of browsers open) or actual exploitation.
Local users could execute a known vulnerable application (such as some
sort of daemon) and exploit it remotely as it is running under
administrative privileges. That is, of course, if a daemon is actually
assigned to the hot key.

There are limitations in this situation though. Hot keys are disabled once
logged in as an account besides that of the first/administrative. In
addition, to our knowledge so far, there is not a way to get the program
to execute and be available on any desktop besides that of the running

 - Disable hot keys.


The information has been provided by <mailto:charles.chear@tpgn.net>
Charles Chear.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: OT - Kuwait
    ... > strict security procedures to prevent unauthorized release of the keys. ... > established their authority to acquire the content of those communications ... Every one but you knows the government has been evesdropping on email & ... Social Security Administration have computer files on nearly all Americans. ...
  • Re: Someone please help me!
    ... If for some reason you do need to log in to the system Administrator ... Use Safe Mode & at Welcome Screen press keys TWICE. ... windows xp has turned an account invisible! ...
  • [Full-Disclosure] Security Industry Under Scrutiny: Part One
    ... >Even the kabbalah is open to anyway wishing to learn. ... The keys to compromising computer systems are placed in the ... Utopian Secure Internet will always be a thing of fantasy, and no security ...
  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
  • Re: Best Practice for storing TripleDES key and vector?
    ... > factor out of the security equation is the user/administrator trust issue. ... which unlocks the encrypted HMACHSA1 keys is stored securely ... protecting access to the RSA private key credential ... like protecting database encryption keys). ...