lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANtF8NAL3z4GfbyB2NhCLnHcbCU8ks8kEfvkG8fE9Xd8OEL_Zg@mail.gmail.com>
Date: Sat, 29 Jun 2013 12:09:04 -0500
From: Grandma Eubanks <tborland1@...il.com>
To: sec <sec@...tsploit.me>
Cc: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
Subject: Re: Abusing Windows 7 Recovery Process

"If you have non-administrator credentials that get you past the bootloader
or the entire boot process hasn't been made secure"

Aside from this, the scenario I've always seen:
1.) Home/regular user that doesn't know/care
2.) Paranoid user or company machine employing full disk encryption

However, I think this is still interesting. It's been a while since I've
played with Windows boxes and won't have access to one for a couple days,
but isn't this triggering off of vendor supplied recovery partitions? This
is a regular Windows 7 sole partition box you tried this one?


On Sat, Jun 29, 2013 at 11:54 AM, sec <sec@...tsploit.me> wrote:

> If you're not able to boot from another OS because the firmware is
> locked down, booting from removable media is disabled, and a software
> crypto product is installed, this is a handy way to bypass all that. If
> you have non-administrator credentials that get you past the bootloader
> or the entire boot process hasn't been made secure, this is an extremely
> trivial exploit requiring no special tools.
>
> I'm making the assumption that the software (or hardware?) crypto is
> correctly tied to that machine's TPM to prevent removing the disk and
> booting it on another machine.
>
> Depending on the exact configuration of the target machine, this would
> enable the retrieval of sensitive data assumed to be secure, or else
> insertion of a trusted machine with malicious payload into a secure
> environment.
>
> I can think of quite a few environments I've encountered where all of
> the above assumptions stand.
>
>
> On 2013-06-29 14:49:16 (+0200), Alex wrote:
> > Or just add an account to SAM file with local admin privs (while booting
> from another OS). Nothing new or special imo.
> >
> > Am 2013-06-28 19:46, schrieb Anastasios Monachos:
> >
> >> >> Hi List;
> >>
> >>
> >>
> >> The following may be of interest:
> http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html[http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html]in particular to those performing physical attacks on Windows 7.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ