Link to home
Start Free TrialLog in
Avatar of spencerturbine
spencerturbine

asked on

What has fixed sticky keys vulnerability?

Oddly enough I am having some trouble tracking down what specific patch on a Windows XP pro box is actively protecting sethc.exe

I am not sure it its sp3 or an individual security update. Maybe its our trend micro thats protecting that file.

Does anyone know what specific patch from microsoft addressed this vulnerability and can point me exactly where I can read that?

Just for additional information, when I am logged onto the machine, when I rename sethc.exe to sethc_old.exe a new one is created with in seconds. This is obviously a protection against this type of attack.
ASKER CERTIFIED SOLUTION
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of spencerturbine
spencerturbine

ASKER

Thats good information but I am hoping to get to the specific info on what actually added sethc.exe to sfc (if thats in fact what is happening).

Also as a side note.... if you modify this file outside of windows (access the drive while booted to a live linux cd) and then boot back to windows sethc.exe is NOT changed back to the original. I would have though if it was SCF watching it would have detected that the file was not the original and replaced it.
Hi!

I've cheked my unpatched XP machine (no SP). "sethc.exe" was always under WFP. Apparently all .exe, .ocx and. dll files from XP CD are automatically under protection according to: http://www.microsoft.com/whdc/archive/wfp.mspx#E3F

At the moment I can not boot unpatched computer to other operating system. Of course if I would be able to, if I would have physical access to computer, I wouldn't be interested in this particular file. I would simply reset local administrator's password.

Toni
Yes but that type of attack leaves a trail. With the sethc.exe attack you can leave it in place and its hard to detect. Most importantly hitting the shift key 5 times works when you RDP to the machine.

So all you need is physical access to the machine one time and you can leave this in place using it when ever you want (provided RDP is enabled and the IP is reachable from your location).

I have a patched XP box and sethc.exe is NOT in the dllcache directory.
If you remove protected file from "dllcache" folder then after editing or replacing it in "system32" folder will not trigger replacement until you run "sfc /scannow". Unfortunately I won't be able to access another XP computer today, but I'm pretty sure that this particular file is under protection from the day XP was released.

Avatar of Tolomir
toniur:

I will check a few more machines and see what I find.

Tolomir:

Thanks for that information (useful no doubt, but not quite and answer to this partcular question)

Well I had some problems what particular vulnerability you are refering to. I found a cmd replacement of that file to get into a computer with pressing 5 times shift.
But to do that one 1st has to replace that file you've mentioned with cmd.
I've checked couple of XP machines. They all have "sethc.exe" in "dllcache" folder. If your machine doesn't, is it possible that your procedures while computer disk was accessed by other operating system, has deleted file from "dllcache" also?

To prevent users which have physical access to computer and free access to BIOS settings to change boot device order to take advantage of this backdoor remotely (by RDP) try using 2xSecure RDP.
toniur I have to give you the points on this one.

It would appear that this file has always been protected as you have stated.

I was under the misconception that a patch or SP "added" protection for this file after the exploit became well known.

I have to look into something else related to this question. I think the security context under which the executable that is renamed to sethc.exe run,s when hitting the shift key 5 times at logon prompt, is different on a few of my machines. But I think that's another question.