1

There is very well known security flaw in microsoft windows. That you simle boot a linux OS from flash drive e.g Kali Linux. And just replace a cmd file with sethc file and you can prompt cmd with administrator rights on lock screen of windows by pressing shift key 5-6 times. And then you can easily update passwords of currents users and so on.

Now I have tested this on windows XP, Vista, Windows 7, Windows 8 and Windows 8.1. I have not tested it on windows 10 yet.

So why does microsoft leave this flaw ? Or is there any chance that they do not know about this ?

Umair Afzal
  • 165
  • 8
  • 5
    In order to perform this, you need physical access to the machine. At that point, there are a lot more things you can do. The "fix" is simple - ensure your hard drive is encrypted at rest, which makes the file replacement impossible. – Matthew Nov 02 '16 at 10:24
  • 1
    Every operating system has this flaw. It's not fixable without physical security or encryption. – Volker Nov 02 '16 at 12:52
  • @Volker So what is the same behaviour in linux ? Can we access its file system through another linux or something ? – Umair Afzal Nov 02 '16 at 12:52
  • Microsoft have fixed this: use Bitlocker – paj28 Nov 02 '16 at 12:58
  • 2
    @UmairAfzal: Yes, it's exactly the same. Boot from a Linux flash drive, mount the file system and do a `chmod +s /mnt/sdd/bin/bash`. Reboot and enjoy a Linux where bash has automatically root privileges. – Volker Nov 02 '16 at 13:09
  • http://superuser.com/questions/732605/how-to-prevent-the-sethc-exe-hack – dandavis Nov 02 '16 at 20:24
  • reason for downvote please ? – Umair Afzal Nov 03 '16 at 04:12
  • And I am not asking for the soluctions to this problem. The question was very clear that a company leaves a known flaw ? – Umair Afzal Nov 03 '16 at 04:13

1 Answers1

2

When the physical security of the computer is not ensured then there are probably dozens of different attack vectors. You can also remove the Administrator password to allow logon without password, you can steal the NTLM hash from the registry hive and try to crack it with John the Ripper and there are probably others I don't know about. These 2 things work up to Win7 without any problems.

The answer is simple: Password protect your BIOS and/or encrypt the hard disk.

kaidentity
  • 2,634
  • 13
  • 30