[NT] Hot Key Permissions Bypass under Windows XP

From: support@securiteam.com
Date: 12/22/01


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 22 Dec 2001 08:09:48 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hot Key Permissions Bypass under Windows XP
------------------------------------------------------------------------

SUMMARY

"Hot keys" allow non-administrative users to execute Administrator owned
applications that are not usually accessible to them.

DETAILS

Hot keys are specially created buttons (or key combinations) to launch
particular programs such as an Internet browser or word processor. Many
newer keyboards have them featured and laptops.

When XP is initially booted, all hot keys are disabled until actual
authentication of the administrator or any other account. Once logged in,
hot keys are then enabled for use, usually by the initialization of a
program in the background that assigns these hot keys.

In some cases, such as a time of idle, XP will put itself back to the
login screen for security purposes. This will require users to
re-authenticate to get back to their current session, whether password
protected or not.

At this point, without logging in, and as long as the user session is
still alive, any local user has the ability to start any program assigned
to the hot key.

This leads to a host of situations where the range of results could be
just merely an annoyance (dozens of browsers open) or actual exploitation.
Local users could execute a known vulnerable application (such as some
sort of daemon) and exploit it remotely as it is running under
administrative privileges. That is, of course, if a daemon is actually
assigned to the hot key.

There are limitations in this situation though. Hot keys are disabled once
logged in as an account besides that of the first/administrative. In
addition, to our knowledge so far, there is not a way to get the program
to execute and be available on any desktop besides that of the running
account/administrator.

Fixes:
 - Disable hot keys.

ADDITIONAL INFORMATION

The information has been provided by <mailto:charles.chear@tpgn.net>
Charles Chear.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.