Windows Sticky Keys vulnerability

One of the most interesting cyber security things I’ve learnt recently is a vulnerability with Windows’ Sticky Keys feature.
I’ve written about it on my blog (https://largoat.uk/sticky-keys/) if anyone is interested. I’d be very interested in hearing if anyone has experience of it, either by use or detection or whatever.

If this isn’t the right audience for this then let me know and I’ll have this post removed.

Nice post. Is it launched as system all the time? Or only when the user who is logged in has admin rights?

Iam familiar with this attack, it was used on an event that was locally taken place here on Greece as a part of the contest. Also the method for securing against that form of attack is just by simple encrypting your disk with either VeraCrypt or TrueCrypt. Disabling the keys or having a password on the BIOS is not protecting you against someone with experience on the field.

@delo said:
Nice post. Is it launched as system all the time? Or only when the user who is logged in has admin rights?

It is launched as a System Proccess cause the default is located under the Protected directory of System32. You have to be privileged in order to copy/delete files from there. That’s why when you hit Win Key + R the cmd prompts as a none administrative user. The default permissions are invoked as a part of safety. Therefore the system is prone to group overwriting/administrator ownage/password resseting by this attack.

can’t send my entry, getting an error message saying I tried something funny :frowning:

edit: the error was in the cmd file extension, it can’t be used for some reason

What I did at my school a few years ago, was that I rebooted the machine until I got a startup error, then got into the file system, then changed the cmd filename to the stickykeys filename(can not remember the name), when I then restarted the machine I could launch a terminal with the sticky keys. I got root access to all of the windows machines that way :slight_smile:

good article thank u

thank you

@WillIWas said:
What I did at my school a few years ago, was that I rebooted the machine until I got a startup error, then got into the file system, then changed the cmd filename to the stickykeys filename(can not remember the name), when I then restarted the machine I could launch a terminal with the sticky keys. I got root access to all of the windows machines that way :slight_smile:

Hehe, nice story dude!

@Largoat nice articel

Here is an attack by Paula on an unencrypted system by manipulating the registry to add a debugger(cmd) to a program running before login screen (utilman.exe)