Professional Documents
Culture Documents
In Winuows vista NTLN authentication is peifoimeu by the NTLN secuiity suppoit pioviuei
Nsvull which is useu to authenticate against the SAN uatabase Buiing oui tests its coue
segment was always founu in physical memoiy making it possible to peifoim a patch at any
time
Auapting the unlock hack to vista basically boils uown to finuing the coiiect coue location foi
applying the patch In vista the actual passwoiu compaiison is uone with a call to
RtlCompareMemory() in the function MsvpPasswordValidate() of NSvull figuie
By patching the subsequent conuitional jump with N0PInstiuctions the memoiy
compaiison is effectively uisableu
Bue to SEC Consults uisclosuie policy we aie not alloweu to ielease the tool itself
Physical Secuiity Attacks on Winuows vista SEC Consult 0nteinehmensbeiatung umbB
FIu0RE PASSW0RB vERIFICATI0N
In shoit oui vista unlock tool uses signatuie matching to finu the iespective binaiy coue in the
taiget noues memoiy the same methou is useu in winlockpwn The piocess of seaiching the
pattein anu manipulating the BLL coue in memoiy takes a few seconus up to a few minutes
Aftei the patch has been applieu any useiname anu passwoiu can be specifieu at the login
piompt foi a successful login
The manipulation of the authentication piocess is just one of many possibilities Inseition of
Nalwaie oi opening a shell woulu be otheis It is also possible to uo a full memoiy uump anu
seaich foi haiuuisk enciyption keys just like the Colu Boot Attack but without having to ieboot
the system These attacks too woik on Winuows vista taigets
Theie is no secuiity upuate pioviueu by Niciosoft anu possibly nevei will be as these attacks aie
not baseu on a vulneiability but meiely aie possible because of the uesigns anu piotocols The
only known effective way of piotecting against the fiiewiie attack is to ueactivate all fiiewiie
anu PC Caiu poits in the uevice managei The uevice managei of Winuows vista can be accesseu
via Stait Contiol Panel System anu Naintenance System Bevice Nanagei Right click
on all fiiewiie anu PC Caiu PCNCIA poits anu choose ueactivate Theie is no known
counteimeasuie against the colu boot attack at the moment but iestiicting physical access to
youi systems
About tbe Vulnerability Lab
Nembeis of the SEC Consult vulneiability Lab peifoim secuiity ieseaich in vaiious topics of
technical infoimation secuiity Piojects incluue vulneiability ieseaich anu the uevelopment of
cutting euge secuiity tools anu methouologies anu aie suppoiteu by paitneis like the Technical
0niveisity of vienna The lab has publisheu secuiity vulneiabilities in many highpiofile
softwaie piouucts anu selecteu woik has been piesenteu at top secuiity confeiences like
Blackhat anu BeepSec
Foi moie infoimation see httpwwwsecconsultcom
REFERENCES
Halderman Alex ) et al Lest We Remembei Colu Boot Attacks on Enciyption Keys 0nline
Febiuaiy Citeu Febiuaiy
httpcitppiincetoneuunyuunetpubcolubootpuf
Boileau Adam Bit by a Bus Physical Access Attacks with Fiiewiie 0nline Citeu
Febiuaiy httpstoimnetnzstaticfilesabfiiewiieiuxkfinalpuf
Becber Micbael Dornseif Maximillian and Klein Cbristian N FiieWiie all youi memoiy
aie belong to us 0nline Citeu Febiuaiy
httpmuhuuoiauepiesentationsfiiewiiefiiewiiecansecwestpuf
Winlochpwn tool httpstoimnetnzstaticfileswinlockpwn