I enjoy listening to the Darknet Diaries podcast by Jack Rhysider. In a recent episode a guest of the show was telling a story about how he managed to compromise a computer network while in prison for… You guessed it! Hacking. Anyway, the story of the hack isn’t what I wanted to discuss with you in this blog post. Instead, I wanted to talk about the hack itself, the vulnerability that it exploits, and how you can stop it with some simple scripting.
Setting The Stage
The hack involves the accessibility tools built into Windows. An attacker with physical access to your machine can abuse them at your Windows logon screen to do pretty much whatever they want. I know what you’re thinking, “But if the attacker already has physical access, why bother?” You have a point. Most attackers who have physical access to a machine will be able to gain control over that machine. This is true in almost every scenario. An attacker with physical access can almost always find some workaround to undermine your security. Whether they use a removable device, brute force attacks, or just plain-old-taking the cover off and making off with the disk drives… You’d be hard pressed to beat an attack when the attacker has your equipment and you don’t.
But there are circumstances where a potential attacker has physical access but still lacks the time, privacy, or tools to pull off an attack. Like in prison, where you have to be covert or guards will spot you. Or at work, where your co-workers might ask how you managed to get into the BIOS of a company computer, or at school where the librarian might ask why you’re taking her computers apart. These are all places where internal attacks become too risky and/or time-consuming to pull off. The Accessibility Tools hack is one where you need to enter the BIOS of the machine and reboot several times. That takes a while, and although the skill level of the attack is low, it’s still a very dangerous proposition to have an attacker with local admin access on your network. Lets setup a sandbox scenario…You’re a domain administrator named Bob with 50 machines on your network. Someone has pulled off an Accessibility Tools hack on a machine and has local admin rights whenever they want. They install a keylogger on the machine and forget about it until 3 days later you get a ticket to take a look at the machine because someone can’t get into their email. You log on remotely but nothing is broken. You sip your coffee and work up the nerve to go teach this person how to use their email. You make your way to the machine and, without thinking twice, blast your domain admin credentials into their machine in the process of helping them. Now the attacker has your domain admin credentials, and they don’t even need physical access anymore.
Next reboot the machine and load the accessibility tool that you replaced with cmd.exe. You now have a SYSTEM command prompt. Because the file is owned by TrustedInstaller, it’s extremely difficult to modify this in a production domain environment with a standard user account, but if you can find a computer with USB ports enabled and an unprotected BIOS this should be relatively easy to pull off.
- BIOS password disabled.
- USB ports enabled.
- Removable storage (CD/USB/floppy) set before primary OS boot device in BIOS.
- Accessibility Tools at logon screen enabled by Group Policy Management or Local Group Policy Editor.
oShell, oFSO, dangerousExes, exe, cmdHardCodedHash, cmdDynamicHash,
strComputerName, strUserName, strLogFilePath, strSafeDate, _
strSafeTime, strDateTime, strLogFileName, strEventInfo, objLogFile, cmdHashCache, objCmdHashCache, dangerHashCache, _
dangerHashData, mailFile, objDangerHashCache, oFile
Set oShell = WScript.CreateObject(“WScript.Shell”)
Set oFSO = CreateObject(“Scripting.FileSystemObject”)
dangerousExes = Array(“Magnify.exe”, “Narrator.exe”, “osk.exe”, “sapisvr.exe”, “control.exe”, “utilman.exe”)
cmdHardCodedHash = “db 06 c3 53 49 64 e3 fc 79 d2 76 31 44 ba 53 74 2d 7f a2 50 ca 33 6f 4a 0f e7 24 b7 5a af f3 86”
cmdDynamicHash = “”
strComputerName = oShell.ExpandEnvironmentStrings(“%COMPUTERNAME%”)
strUserName = oShell.ExpandEnvironmentStrings(“%USERNAME%”)
strLogFilePath = “\\server\Logs”
strSafeDate = DatePart(“yyyy”,Date) & Right(“0” & DatePart(“m”,Date), 2) & Right(“0” & DatePart(“d”,Date), 2)
strSafeTime = Right(“0” & Hour(Now), 2) & Right(“0” & Minute(Now), 2) & Right(“0” & Second(Now), 2)
strDateTime = strSafeDate & “-” & strSafeTime
strLogFileName = strLogFilePath & “\” & strComputerName & “-” & strDateTime & “-Accessibility_Defender.txt”
cmdHashCache = “C:\cmdHashCache.dat”
dangerHashCache = “C:\dangerHashCache.dat”
mailFile = “C:\Accessibility_Defender_Warning.mail”
‘A function to clear the previous dangerCache and create a new one.
If oFSO.FileExists(dangerHashCache) Then
If Not oFSO.FileExists(dangerHashCache) Then
‘A function to create the CMD Hash Cache file.
If oFSO.FileExists(“C:\Windows\System32\cmd.exe”) Then
oShell.run “cmd /c CertUtil -hashfile “”C:\Windows\System32\cmd.exe””
SHA256 | find /i /v “”SHA256″” | find /i /v “”certutil”” > ” &
cmdHashCache, 0, TRUE
‘A function to hash each of the hardcoded files and cache the value.
For Each exe In dangerousExes
If oFSO.FileExists(“C:\Windows\System32\” & exe) Then
oShell.run “cmd /c CertUtil -hashfile “”C:\Windows\System32\” & exe
& “”” SHA256 | find /i /v “”SHA256″” | find /i /v “”certutil””
>> ” & dangerHashCache, 0, TRUE
‘A function to read the CMD hash cache.
If oFSO.FileExists(cmdHashCache) Then
Set objCmdHashCache = oFSO.OpenTextFile(cmdHashCache)
cmdHashData = objCmdHashCache.ReadAll()
‘A function to read the Danger hash cache and compare it to the CMD hash cache and hardcoded CMD hash.
hashMatch = FALSE
If oFSO.FileExists(dangerHashCache) Then
Set objDangerHashCache = oFSO.OpenTextFile(dangerHashCache)
Do While Not objDangerHashCache.AtEndOfStream
dangerHashData = objDangerHashCache.ReadLine()
If dangerHashData = cmdHashData() Or dangerHashData = cmdHardCodedHash Then
hashMatch = TRUE
If Not (strEventInfo = “”) Then
Set objLogFile = oFSO.CreateTextFile(strLogFileName, True)
If oFSO.FileExists(mailFile) Then
If Not oFSO.FileExists(mailFile) Then
Set oFile = oFSO.CreateTextFile(mailFile, True)
oFile.Write “To: IT@COMPANY.com” & vbNewLine & “From: server@COMPANY.com” & vbNewLine & _
“Subject: COMPANY Accessibility Defender Warning!!!” & vbNewLine & _
“This is an automatic email from the COMPANY Network to notify you
that a workstation was defended from Accessibility Tools exploitation.”
vbNewLine & vbNewLine & “Please log-in and verify that the equipment listed below is secure.” & vbNewLine & _
vbNewLine & “USER NAME: ” & strUserName & vbNewLine &
“WORKSTATION: ” & strComputerName & vbNewLine & _
“This check was generated by ” & strComputerName & ” and is
performed when Windows boots.” & vbNewLine & vbNewLine & _
End Function’A function for running SendMail.
oShell.run “cmd /c sendmail.exe ” & mailFile, 0, TRUE
oShell.Run “cmd /c C:\windows\system32\shutdown.exe”, 0, false
hashMatch()If hashMatch = TRUE Then
createLog(“The machine ” & strComputerName & ” just attempted to execute an Accessibility Tools exploitation!”)