[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Abusing Windows 7 Recovery Process

To: sec <sec@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
From: Grandma Eubanks <tborland1@xxxxxxxxx>
Date: Sat, 29 Jun 2013 12:09:04 -0500

"If you have non-administrator credentials that get you past the bootloader
or the entire boot process hasn't been made secure"

Aside from this, the scenario I've always seen:
1.) Home/regular user that doesn't know/care
2.) Paranoid user or company machine employing full disk encryption

However, I think this is still interesting. It's been a while since I've
played with Windows boxes and won't have access to one for a couple days,
but isn't this triggering off of vendor supplied recovery partitions? This
is a regular Windows 7 sole partition box you tried this one?


On Sat, Jun 29, 2013 at 11:54 AM, sec <sec@xxxxxxxxxxxxx> wrote:

> If you're not able to boot from another OS because the firmware is
> locked down, booting from removable media is disabled, and a software
> crypto product is installed, this is a handy way to bypass all that. If
> you have non-administrator credentials that get you past the bootloader
> or the entire boot process hasn't been made secure, this is an extremely
> trivial exploit requiring no special tools.
>
> I'm making the assumption that the software (or hardware?) crypto is
> correctly tied to that machine's TPM to prevent removing the disk and
> booting it on another machine.
>
> Depending on the exact configuration of the target machine, this would
> enable the retrieval of sensitive data assumed to be secure, or else
> insertion of a trusted machine with malicious payload into a secure
> environment.
>
> I can think of quite a few environments I've encountered where all of
> the above assumptions stand.
>
>
> On 2013-06-29 14:49:16 (+0200), Alex wrote:
> > Or just add an account to SAM file with local admin privs (while booting
> from another OS). Nothing new or special imo.
> >
> > Am 2013-06-28 19:46, schrieb Anastasios Monachos:
> >
> >> >> Hi List;
> >>
> >>
> >>
> >> The following may be of interest:
> http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html[http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html]in
>  particular to those performing physical attacks on Windows 7.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Abusing Windows 7 Recovery Process
  - From: Cool Hand Luke

References:
- [Full-disclosure] Abusing Windows 7 Recovery Process
  - From: Anastasios Monachos
- Re: [Full-disclosure] Abusing Windows 7 Recovery Process
  - From: Alex
- Re: [Full-disclosure] Abusing Windows 7 Recovery Process
  - From: sec

Prev by Date: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Next by Date: Re: [Full-disclosure] Denial of Service in WordPress
Previous by thread: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Next by thread: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Index(es):
- Date
- Thread