Avatar of spencerturbine
spencerturbine
 asked on

What has fixed sticky keys vulnerability?

Oddly enough I am having some trouble tracking down what specific patch on a Windows XP pro box is actively protecting sethc.exe

I am not sure it its sp3 or an individual security update. Maybe its our trend micro thats protecting that file.

Does anyone know what specific patch from microsoft addressed this vulnerability and can point me exactly where I can read that?

Just for additional information, when I am logged onto the machine, when I rename sethc.exe to sethc_old.exe a new one is created with in seconds. This is obviously a protection against this type of attack.
OS SecurityVulnerabilities

Avatar of undefined
Last Comment
spencerturbine

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Toni Uranjek

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
spencerturbine

ASKER
Thats good information but I am hoping to get to the specific info on what actually added sethc.exe to sfc (if thats in fact what is happening).

Also as a side note.... if you modify this file outside of windows (access the drive while booted to a live linux cd) and then boot back to windows sethc.exe is NOT changed back to the original. I would have though if it was SCF watching it would have detected that the file was not the original and replaced it.
Toni Uranjek

Hi!

I've cheked my unpatched XP machine (no SP). "sethc.exe" was always under WFP. Apparently all .exe, .ocx and. dll files from XP CD are automatically under protection according to: http://www.microsoft.com/whdc/archive/wfp.mspx#E3F

At the moment I can not boot unpatched computer to other operating system. Of course if I would be able to, if I would have physical access to computer, I wouldn't be interested in this particular file. I would simply reset local administrator's password.

Toni
spencerturbine

ASKER
Yes but that type of attack leaves a trail. With the sethc.exe attack you can leave it in place and its hard to detect. Most importantly hitting the shift key 5 times works when you RDP to the machine.

So all you need is physical access to the machine one time and you can leave this in place using it when ever you want (provided RDP is enabled and the IP is reachable from your location).

I have a patched XP box and sethc.exe is NOT in the dllcache directory.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Toni Uranjek

If you remove protected file from "dllcache" folder then after editing or replacing it in "system32" folder will not trigger replacement until you run "sfc /scannow". Unfortunately I won't be able to access another XP computer today, but I'm pretty sure that this particular file is under protection from the day XP was released.

Tolomir

spencerturbine

ASKER
toniur:

I will check a few more machines and see what I find.

Tolomir:

Thanks for that information (useful no doubt, but not quite and answer to this partcular question)

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Tolomir

Well I had some problems what particular vulnerability you are refering to. I found a cmd replacement of that file to get into a computer with pressing 5 times shift.
But to do that one 1st has to replace that file you've mentioned with cmd.
Toni Uranjek

I've checked couple of XP machines. They all have "sethc.exe" in "dllcache" folder. If your machine doesn't, is it possible that your procedures while computer disk was accessed by other operating system, has deleted file from "dllcache" also?

To prevent users which have physical access to computer and free access to BIOS settings to change boot device order to take advantage of this backdoor remotely (by RDP) try using 2xSecure RDP.
spencerturbine

ASKER
toniur I have to give you the points on this one.

It would appear that this file has always been protected as you have stated.

I was under the misconception that a patch or SP "added" protection for this file after the exploit became well known.

I have to look into something else related to this question. I think the security context under which the executable that is renamed to sethc.exe run,s when hitting the shift key 5 times at logon prompt, is different on a few of my machines. But I think that's another question.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck