Wednesday 07 January 2004

Bypassing Windows XP's Logon Screen

Dana Epp demonstrates how to bypass the Windows XP Logon Screen:

In Windows XP (well all recent Microsoft OSs actually) on boot up you are presented with a logon screen. After a default timeout (approximately 10 to 15 minutes) if there is no interaction with the mouse or keyboard the kernel executes the logon screensaver. Knowing this... it is possible to use this code execution path to gain elevated privileges if we can trick Windows into executing our code.

The way I did this is actually quite trivial. In my case, I simply booted into an environment that would let me access the filesystem directly (For this I use a slightly modified version of Knoppix-STD with NTFS write support) and simply tamper with the logon screensaver. In Windows XP, this file is located at %SYSTEMROOT%\System32\logon.scr. I replaced it with a copy of cmd.exe, and then synced the disk and unmounted it.

Once my "Trojan" was in place, I ejected my boot CD and rebooted the machine, and waited. XP booted up to its logon screen, waiting for me to enter my credentials. But I didn't. I just sat there, enjoying a Tim Horton's Cafe Mocha, documenting my procedures to this point. About 15 minutes later, with my indulgence in coffee satisfied and documentation completed, Windows XP launched my version of the logon screen saver, giving me a command prompt. But not just ANY command prompt. A command prompt with SYSTEM privileges. For those of you that do not know... consider SYSTEM the $DEITY of the machine... with higher privileges than even the Administrator. I'm in. Now, simply type "explorer" and watch the system come up.

I once used an ntfs boot disk I downloaded from to gain access to my PC (though this has limited options) but Dana's approach seems a better way to gain access and demonstrates that once you get physical access to a Windows PC, it is no longer secure... I am not sure of other platforms though.

I have no way of testing this, but I think that disabling the CD Drive either via Security Policies or via BIOS should help mitigate this kind of attack.