Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Windows Vista Windows Vista
Search Search
Search for:
Tech Support Guy > > >

Anyone here tried this Vista system-level hack?


(!)

Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
11-Sep-2008, 03:19 AM #1
Anyone here tried this Vista system-level hack?
http://www.offensive-security.com/mo...vistahack.html

If you've tried it, what was your result?

When I try it, Utilman.exe is resisting the mv command with a "read-only file system error".
davehc's Avatar
Computer Specs
Trusted Advisor with 1,597 posts.
 
Join Date: Oct 2006
Experience: Advanced
11-Sep-2008, 08:41 AM #2
Is this a spam? As far as I know, utilman opens the ease of access centre?
Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
11-Sep-2008, 11:41 AM #3
Quote:
Is this a spam?
I think you can look at the accumulated posts and the join date and tell that isn't likely.
Quote:
utilman opens the ease of access centre
That's correct; but, it is also a vulnerability in Vista. It actually gives you System Level access to the Vista system.

Being a Windows troubleshooter who furnishes on-site service and support for businesses and residences for fourteen years, having system-level access would be a valuable asset. They may fix it one day; but, for now, they are sure caught with their pants down on this one because there is absolutely no reason Utilman needs this much power.
davehc's Avatar
Computer Specs
Trusted Advisor with 1,597 posts.
 
Join Date: Oct 2006
Experience: Advanced
11-Sep-2008, 11:48 AM #4
Sorry. Not sure what you mean.
I am not too familiar with in depth command prompts, but all I could see was that the operator was, already, on someones computer and accessed the system32 folder. ??

Last edited by davehc; 11-Sep-2008 at 12:26 PM..
Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
11-Sep-2008, 05:33 PM #5
Thanks for your interest.

I found what I needed over at the Linux for Newbies forum. I downloaded a Linux Live Slax, burned it to CD and it did the trick. It's a free program and has a Windows Explorer-like interface that makes browsing files and folders and deleting, copying and moving files that Windows will prevent, easy.
Orumph's Avatar
Orumph Orumph is offline
Senior Member with 251 posts.
 
Join Date: Jun 2007
11-Sep-2008, 05:39 PM #6
But, from everything I am reading, in order for this to even work, the system will have to already be compromised or the attacker will need physical access to the PC.

There are easier ways than this to compromise a PC when you have physical access to it. Hell Puppy Linux or Damn Small Linux will boot very quickly and you have complete unrestricted access to all the files, for the most part I do believe. Cause linux ignores NTFS Security, I do believe.

So, while this is a cool exploit, I would not call it extremely dangerous.
Again, someone will need physical access to the system or the system will have to already be compromised to take advantage of this.

In which case your screwed anyway, so it's a mute point.
Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
11-Sep-2008, 07:54 PM #7
Quote:
Cause linux ignores NTFS Security
Well, there is at least one version of Linux that will not let you change names, copy, or delete system files and folders, BackTrack. The video I linked to above is a nice demonstration; but, it was obviously made on a non-NTFS system,

If you are working with a NTFS on a Windows system then you need ntfs-3g loaded before you can change the files. My failed attempt to rename Utilman from BackTrack supports my belief that BackTrack (and Linux in general) needs ntfs-3g loaded before you can do more than just view files on NTFS.

As for "compromising" a system, I'm not trying to compromise. I'm wanting a back door into the file system so I can manipulate things and delete malware-related files and folders.

Malware writers will, at some point, compromise systems. Utilman is just an unnecessary vulnerability waiting for some criminal to exploit it.
TechB's Avatar
TechB TechB is offline TechB has a Profile Picture
Senior Member with 446 posts.
 
Join Date: Jul 2006
Location: Squamish, BC, Canada
Experience: Advanced
11-Sep-2008, 09:36 PM #8
If you have physical access it's pretty easy to compromise any OS. You could do the same thing to a Linux or Mac computer by changing some crucial system files while the OS is offline.
Squashman's Avatar
Trusted Advisor with 19,645 posts.
 
Join Date: Apr 2003
Location: 1265 Lombardi Ave
11-Sep-2008, 10:45 PM #9
Like everyone else has said. I don't see this as anything new. You have physical access and you can own any machine in a matter of minutes.
Elvandil's Avatar
Computer Specs
Moderator with 51,993 posts.
 
Join Date: Aug 2003
Location: Vermont
Experience: "Been through the mill."
11-Sep-2008, 11:08 PM #10
Though that method works, just as in XP, there are easier ways to get System privileges. Though the XP versions don't work in Vista, some apps, like "SysRun" and the "PowrRun" that comes with the installation of PowrClik suite of utinlities (I installed it and then removed all the other components so it wouldn't nag for registration) will both give you system privileges in a running Vista system without any hacks. In XP, the gtools suite has a very effective and easy "root" access command line.

These apps open in the Interactive Services window, but a command like "sysrun.exe regedit.exe" will open regedit in the IS window with System privileges and access to all keys. It's pretty useful if you happened to be working on something that gives you a lot of "Access Denied" errors. You won't see any with system privileges.
__________________
Microsoft MVP
異驚の界世 ípןɹoʍ ǝɥʇ ɟo sɹǝpuoʍ ǝɥʇ ɟo ǝuo sı ǝpoɔıun ʞuıɥʇ ı
Orumph's Avatar
Orumph Orumph is offline
Senior Member with 251 posts.
 
Join Date: Jun 2007
12-Sep-2008, 08:43 AM #11
Listen..... Make a Puppy Linux Disk and you can own any Windows Box, regardless of permissions on the box. Still you need physical access to it. I do it all the time in my line of work. So, the exploit above in reality is a waste of time when you can boot puppy or even BartPE (better) and delete/move/copy/rename what you want without restrictions, without having to try and get into the system account. Infact, with the right plugin for bart, you can even create an admin account if profiles on that box are corrupt and you can't login. Useful for XP Home boxes. It's quicker in the long run and all files are unlocked. As you can see in the video, the guy first boots a linux live disk, or he is dual booting, renames the files, and the restarts the system, so he is already in the system manipulating files, he should have no problem copying/move/delete/add/whatever he wants to a flash drive or external drive much quicker than hacking a single file, rebooting, gaining access and doing what he wants.

In my opinion, other than using it to allow a keylogger to steal your login password fromt he ctrl-alt-delete login screen (from a post I saw somewhere else, and which is also a pain and requires physical access to the box) there is no point to the exploit.
Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
12-Sep-2008, 10:43 AM #12
It seems this thread has been diverted from my original purpose of gaining a back-door access to NTFS for administrative purposes into a debate about vulnerability.

There was a time when Microsoft and other developers said a virus could not be put into a MSWord macro. That information became public in the industry and so the virus writers said to themselves that they would take that challenge. A few weeks later, macro viruses started showing up all over the globe.

So, it's just a matter of time before someone takes advantage of a door that is an unnecessary vulnerability and develops a remote capability.

I still say Utilman has far more power than it needs to do its intended job and is due only to sloppy programming.

As for BackTrack and that video, either he didn't do that video on NTFS (probably FAT32) or he didn't use the same BackTrack ISO I downloaded because that live CD does not contain ntfs-3g, which is needed if you want to do more than just view the file system.

So, I take issue with 'just any version of Linux' being capable of giving me the access I need.
Orumph's Avatar
Orumph Orumph is offline
Senior Member with 251 posts.
 
Join Date: Jun 2007
12-Sep-2008, 11:09 AM #13
Quote:
So, I take issue with 'just any version of Linux' being capable of giving me the access I need.
Really? Go get Puppy then come talk to me.
But better is BartPE. Especially if you are just looking for an easy way to create an account with admin access to logon to windows with.

Quote:
I still say Utilman has far more power than it needs to do its intended job and is due only to sloppy programming.
Yes, I totally agree.

Also, the other problem with using the Ultiman exploit, is if you forget to change it back? You are leaving the system vulnerable to anyone who hits the win+U key on that system.
Alex Ethridge's Avatar
Member with 8,513 posts.
THREAD STARTER
 
Join Date: Apr 2000
Location: Birmingham, Alabama USA
Experience: 15 years of just doing it
12-Sep-2008, 11:25 AM #14
Quote:
Go get Puppy then come talk to me.
Using Puppy Linux will not prove to me that every version of Linux will do this job. All I have to find is one version of Linux that will not to prove the point.

Download BackTrack Live. Try it on NTFS. Try to rename a file. It will fail. That Linux Live from BackTrack does not have NTFS-3g loaded and you cannot manipulate NTFS from Linux without that component loaded.
Orumph's Avatar
Orumph Orumph is offline
Senior Member with 251 posts.
 
Join Date: Jun 2007
12-Sep-2008, 12:35 PM #15
Ok, I'll give you that of the 150+ versions of Linux out there, not all of them will allow you to manipulate the NTFS partition.

Is why I prefer Puppy and BartPE to accomplish my tasks.

By the way, I did successfully initiate this exploit using BartPE. And of all the things I tried, the only 2 things I could access was the command prompt and the Computer Management Console.

Again, BartPE will accomplish this task much better and quicker than this exploit, therefore I find it (personally speaking) pointless.

Especially in regards to,,, if you forget to change the Utilman.exe back, and once you take ownership of it, it is very difficult, if not impossible to change the ownership back to what it is supposed to be, leaving the Admin group to have full access over it by default. Which may or may not be a problem, but still, it is changed.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑