segunda-feira, 16 de maio de 2011

Unlocking the Windows Station

Ever wondered why you shouldn't leave your computer with your session opened while the screen is locked?
This hazard falls in several OS domains if you consider the various types of attacks available out there.
This one in particular is focused on Windows, so if you're a Windows fan keep reading.
As far as I remember, at least since XP, this approach has been possible, although not wildly publicized. The "attack", consists just in injecting code in a cross-session Winlogon privileged process, that's retaining the desktop hidden. For this we need two things: remote or local access to the machine, (although local should be locked :)), and a privileged token, so we can cross session boundaries.
So, if we're already the machine's owner why do I call it an "attack"? Instead of forcing myself into the user locked session I could just patch the machine's code and collect every info I'd need like passwords, etc.
Well, that's true, but consider the amount of noise you'll make, the forensic trails you'll leave and consider your physical location. If for example the machine is network locked out, your only chance might be to use a USB or firewire local attack, and grab immediate access to an open domain session. If lucky could be the domain admin.
Besides, it's much funnier seeing CEOs faces when their sessions are opened wide.
Why is it an hazard? because everything becomes available to the intruder, private cache, private certificates, protected storage passwords, EFS files, etc. Not a pretty sight.

The tool is available here:
To setup things you should remotely access the machine with administrative rights, copy unlockcon.exe to a folder, select the appropriate Win7 OS type, rtm or sp1, and copy the newdll.dll to the same location as unlockcon.exe.
Now, all you need is run it, and watch it do it's magic.

If you don't have two computers, then try this, create a batch file called unlock.bat and add the following commands to it's content:

timeout /t 30

run the bat and lock the desktop. wait for 30 seconds and voilá...

nice trick to play with your friends.

How does it work?
Winlogon since Windows 7, is a state machine, that keeps track of it's interaction with the user, this state is recorded in an exported symbol xGlobalContext. When following winstation unlocking process, it ends in WluiReleaseUI, which is the crucial part of the process that unlocks the screen. See also WlAccessibilitySwitchDesktop and WluiAbort.

One final note: this tool doesn't reset the Winlogon state machine state. So, you won't be able to lock the desktop back to it's original look and feel. Instead, you can manually do it yourself by going to the start menu and in the shutdown button, click 'switch user'. (hint for a reverser who want's to code it's own fully functional tool).

Hope you liked it

Next post will be about session stealing, remote and local.

2 comentários:

Rodion Rodionov disse...

Great tool, but now Link is Error

Could you please update link?

T2 em Santa Luzia disse...

Sorry for that. The link is now updated.