Join 3,375 readers in helping fund MetaFilter (Hide)


Limp Bizkit? Seriously?
August 1, 2006 5:23 PM   Subscribe

Compromise any Windows XP machine (that you have physical access to) with one single line of code. Even if you're logged on as guest, this cmd line text will upgrade your account to root level on the fly, after which time you can do anything you wish to the machine, (even reformat the drive & install linux!). ACHTUNG: Link goes to video that, for inexplicable reasons, has Limp Bizkit for the soundtrack.
posted by jonson (44 comments total) 2 users marked this as a favorite

 
OMG! If you run this SkriPt johnson will totally enter your backdoor!
posted by BrodieShadeTree at 5:35 PM on August 1, 2006 [1 favorite]


lol
posted by keswick at 5:35 PM on August 1, 2006


Quite sick.

The soundtrack, that is. The trick, notsomuch (but handy!)
posted by disclaimer at 5:38 PM on August 1, 2006


Windows has security?
posted by muppetboy at 5:38 PM on August 1, 2006


Like Courtney Love has virginity.
posted by ryoshu at 5:39 PM on August 1, 2006


Windows has security?

That's: Security(TM).
posted by IronLizard at 5:39 PM on August 1, 2006


I kept waiting for the ghost face to appear on the screen.
posted by Krrrlson at 5:42 PM on August 1, 2006


A mutha fuckin chainsaw! – WHAT?

In all seriousness, does anyone know how recently this flaw was discovered? I imagine MS would consider something like this 'critical'.
posted by patr1ck at 5:43 PM on August 1, 2006


Surely this... oh, wrong thread.
posted by fleetmouse at 5:46 PM on August 1, 2006


Ironically, this is the thing that will destroy the Bush adminsitration.
posted by Astro Zombie at 5:51 PM on August 1, 2006 [2 favorites]


Physical access equals r00t. News at 11.

Though props, bouncing off the task scheduler like that is pretty funny.
posted by effugas at 5:51 PM on August 1, 2006


effugas, physical access doesn't equal root in my office; every user's access to change settings on their computer is controlled by the domain server, as is their access to network shares.
posted by jonson at 5:54 PM on August 1, 2006


fading text animation + soundtrack = crazy delicious

That scientology YTMND must be the new benchmark by which all information is presented.
posted by chrissyboy at 5:57 PM on August 1, 2006


All jokes about the soundtrack aside, this is obviously a piece of legitimate security research. I mean, come on, look at the matrix code intro.
posted by mmcg at 5:57 PM on August 1, 2006


someone at redmond is crying...shush...can you hear them?
posted by lslelel at 5:59 PM on August 1, 2006 [1 favorite]


it can't be that serious, it was posted on an msdn blog as a feature not too long ago:

http://blogs.msdn.com/adioltean/articles/271063.aspx
posted by empath at 6:02 PM on August 1, 2006


The key thing wrong with this demonstration is that the "at" command requires the user to be an Administrator. This will not work for a User or Guest account, as the video states.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true

Using at

To use at, you must be a member of the local Administrators group.


I just tried it as a Guest on an XP SP2 machine, and got Access Denied.
posted by Diddly at 6:04 PM on August 1, 2006


Apparently, you can't run 'at' unless you are already an administrator.
posted by empath at 6:05 PM on August 1, 2006


Why does this even require physical access? Seems like using the at scheduler wouldn't be restricted to the local user, but I can't verify that right now.

But, seriously, this is ludicrous. For those not wanting to sit through the video;

1. Open a command prompt. Use the at command to schedule a new execution of the command prompt sometime in the future, for instance, in a minute.

2. Wait for the scheduler to spawn a new command prompt. From the new command prompt, start c:\windows\explorer.exe (after killing the original explorer.exe with task manager).
posted by odinsdream at 6:07 PM on August 1, 2006


Also, you don't need admin rights to install linux on a windows box. You don't even need to log in. Just wipe the HD with the linux install cd.
posted by empath at 6:07 PM on August 1, 2006


Embarrassing this was posted. If you think this demonstrates any sort of 'security' breach then you know jack about security.;
posted by Osmanthus at 6:22 PM on August 1, 2006


Anyone who's ever had to do NT service development has seen this trick. In fact, Microsoft has a KB article, Q152460, that dates back to NT 3.5 describing it.

effugas: you don't need physical access to do this. Terminal services would allow it, for example.

jonson: creating a group policy is no guarantee against users changing settings. For example, you can get LocalSystem and kick the machine off the domain, using direct authentication instead of SSA to get tokens for network access. You can also set a local security policy which overrides the domain policy.
posted by thalakan at 6:38 PM on August 1, 2006


Osmanthus: if it's so "embarrassing" then write a succinct explanation as to why this is the case (or a good link is even better)?

Your unsupported word is even less impressive than the posting, which at least contains a video <grin>. A link or explanation of your reasoning will clear everything up.
posted by lupus_yonderboy at 6:53 PM on August 1, 2006


I kept waiting for the ghost face to appear on the screen.

ghost .. face .. killaaaaaaaaaaaa
posted by sergeant sandwich at 6:57 PM on August 1, 2006 [2 favorites]


Lupus: the reasons have already been covered in previous comments, but I will reiterate and even give you a link.

In order to run the AT command in the first place, you must have local administrator rights. Thus, there is no privilege escalation.

The AT command does change the user name however because it is specifically designed to run services when the user is not logged in! So this behavior is by design.

Finally, physical access to the machine grants the user the ability to do just about anything, including replacing the harddrive or just outright stealing it.
posted by Osmanthus at 7:14 PM on August 1, 2006


"A security researcher with expertise in rootkits has built a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.

Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, says the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system.

Rutkowska plans to discuss the idea and demonstrate a working prototype for Windows Vista x64 at the SyScan Conference in Singapore on July 21 and at the Black Hat Briefings in Las Vegas on Aug. 3." via

"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica.

I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform"...Joanna's blog
posted by sluglicker at 7:19 PM on August 1, 2006


I had an ultra-thin hypervisor once, but I think her pills were red.
posted by j-dub at 7:34 PM on August 1, 2006


It doesn't work:

Free Image Hosting at www.ImageShack.us
posted by bigmusic at 7:38 PM on August 1, 2006


your operating system swallows the Blue Pill

So we're safe until our OSes develop esophagi.
posted by MikeKD at 7:47 PM on August 1, 2006


This is another example of people who don't have a clue trying to act like they have one, in an effort to sucker others into thinking they will finally have a clue.

Translation: Your brain just got hacked.
posted by cellphone at 7:58 PM on August 1, 2006


Daaaamn sluglicker that's some interesting stuff. I wish I was going to BlackHat this year, looks like some killer presentations. I think they're doing the driver-level wifi exploit there too.

Also, not a stellar FPP. Sorry but this isn't A) news B) particularly interesting as an exploit or C) useful.
posted by Skorgu at 8:19 PM on August 1, 2006


Yeah, I agree, I was gullible & posted this without testing it first. Flagged!
posted by jonson at 8:47 PM on August 1, 2006


This is old. I've been using this technique for years (at least since 1998) to spawn a local System account session to "stuck" processes that a local Administrator can't kill. It's saved me more than one reboot of a production server over the years.
posted by deadmessenger at 9:29 PM on August 1, 2006


C:\Documents and Settings\Talez|► at 12:31 /interactive "cmd.exe"
The service has not been started.

Hmmm... so if I've turned off the Task Scheduler because I really don't need to run a defrag at 4am on a Tuesday it doesn't work. That's a pretty crappy privs escalation.
posted by Talez at 9:33 PM on August 1, 2006


Did you know that the word "gullible" does not appear in any standard English dictionary?
posted by RichAromas at 9:46 PM on August 1, 2006 [1 favorite]


I know! It doesn't! That's so freaky!
posted by Talez at 10:09 PM on August 1, 2006


This is so not new, nor is it a real exploit. Everything is working as designed - any system that lets non-administrators use the "at" command is broken. And "administrator" is the equivalent of root on windows - it can do anything. If you want to kill SYSTEM processes just use Process Explorer from sysinternals. No stupid "at" scheduler needed.

Here's a blog post from 2004 documenting several ways to do this. You could have just linked to this or the countless other places where this is explained instead of this retarded limp bizkit wankery.
posted by Rhomboid at 10:59 PM on August 1, 2006


And now of course I notice that the above URL has already been pointed out (but not linked, grr.)
posted by Rhomboid at 11:02 PM on August 1, 2006


Where's part where you notice that I realize my mistake & apologized several hours ago?
posted by jonson at 11:26 PM on August 1, 2006


Rhomboid: No, only the Windows implementation of 'at' is broken. Many other systems can safely allow *any* user to use at(1), with no more risk of privelege escalation than standard shell access. (perhaps less risk, because 'at' is a very small, well audited utility)

Windows was simply built as a single-user desktop OS, where convienience took precedent over security, by design. And despite modern efforts (largely successful) to fix that, the original neglegence still shows through without careful configuration.
posted by zeypher at 11:43 PM on August 1, 2006


Zeypher beat me to it. I actually have run into this before, and it is one of those things that's like a big neon sign flashing "BAD DESIGN." There is just no logical reason whatsoever that non-Admin users shouldn't be able to schedule commands. My solution was the same solution that I'm sure 99% of other users came up with -- escalate the user to Admin status. And boom, the "not a real security breach" is, in fact, a real security breach.
posted by bjrubble at 1:05 AM on August 2, 2006


Rhomboid's an angry, angry boy.
Still, I didn't know about this; can't say I'll never need to use it; but by gum if I do it'll be because of you, jonson.
posted by NinjaTadpole at 1:49 AM on August 2, 2006


It works. You just have to *believe*.
posted by the ghost of Ken Lay at 9:30 AM on August 2, 2006


There is always a way to exploit a machine to gain root access if you have physical access. That's why physical security should be your top concern... don't let untrusted people near your machine.
posted by triolus at 10:31 AM on August 2, 2006


« Older Let's Paint and Exercise TV! Four videos of a publ...  |  Awesome... Newer »


This thread has been archived and is closed to new comments