[RST] Windows 10 RTM (10240) Close/Preview apps without authentication

[em]

Windows 10 RTM (10240) Close/Preview apps without autentification

Windows 10 is a personal computer operating system being developed by Microsoft as part of the Windows NT family of operating systems.

A new update to this OS is the three finger swipe up gesture, that opens the multiple screen mode and shows all the active apps, to allow them to be sorted/opened/closed/minimized. This feature also works without the user being logged in, potentially allowing an attackers to examine the running programs or close them.

By allowing an attacker to maximize random apps could lead to running unwanted code on locked machines. Preliminary tests show that on maximize events do trigger on maximize events (WM_SIZE message with the value SIZE_MAXIMIZED in wParam). This may allow an attacker to activate a previously installed backdoor on a user machine, and run it only on maximize if the screen is locked (thus, allowing him to run arbitrary code without logging in if he has physical access to the machine).

POC of this exploit:

In the first picture we can observe a Wordpad Document opened and a Google Chrome minimized

Lock the screen. Note: I have a password that is required for unlocking

Screen is locked

Execute the 3 fingers swipe up gesture with the touchpad

I can see all the running apps with a GUI that are minimized. Moreover, I can see a preview of them, maximize them, or close them. Note that I can see the text "Sensitive information without logging in"

I clicked chrome. After that I clicked space to open the login screen.

I am logging in with my password

Chrome is maximized. I've managed to preview an app (see sensitive text) and maximize another app without entering my login password.

Source: em @ Romanian Security Team.

Edited July 16, 2015 by em

[AlStar]

Foarte interesanta treaba asta, @em . Totusi, la mine nu se reproduce, desi am touchpad cu multitouch. Chiar in seara asta am facut update la noul build si am testat chestia asta.

[em]

Foarte interesanta treaba asta, @em . Totusi, la mine nu se reproduce, desi am touchpad cu multitouch. Chiar in seara asta am facut update la noul build si am testat chestia asta.

?ie î?i apare acel ecran dac? e?ti logat? Poate nu ai driverele corespunz?toare la touchpad. Nu am verificat dac? exist? ?i o combina?ie de taste în loc de 3 degete.

[AlStar]

Am si driverele pentru multitouch, am acelasi build de Windows. Ce difera, e faptul ca eu am pus sa ma loghez cu PIN in loc de parola de Live. Mai verific diseara, posibil sa fie ceva ce am dezactivat de cand am pus build-ul anterior.

LE: De fapt, tocmai asta cred ca e diferenta. Eu folosesc @ live.com , iar tu folosesti cont local. Oare sa fi asta cauza?

[em]

Am folosit si eu cont de @Live.com (ca altfel nu mai vin update-uri). Am scapat de el dupa.

Nu mi-ai raspuns la intrebare. Merge gestul cu trei degete sus daca esti logat? Adica, face ceva?

[TheTime]

Hello,

Un subiect destul de misto, dar sunt si ceva sanse sa nu fie vina windows-ului. Ca idee, orice instalezi suplimentar pe langa windows (programe care sa ruleze la start-up, drivere, teme etc) pot cauza astfel de probleme. Subiectul imi aminteste de acest blog post, un exemplu bun de cum poti face bypass la windows lock screen atunci cand ai un screensaver facut in flash.

Parerea mea este ca ai un laptop de la Lenovo sau HP si ca ai instalat driverele pentru multi-touch ale lor. Eu m-am obisnuit cu gandul ca driverele lor sunt facute de maimute, probabil de acolo si problemele de securitate.

Oricum, foarte misto ca finding!

[AlStar]

Nu mi-ai raspuns la intrebare. Merge gestul cu trei degete sus daca esti logat? Adica, face ceva?

Daca sunt logat, nu face nimic. In CP-ul touchpadului e dezactivat triple-finger gesture.

Oricum, tot ramane sa mai experimentez diseara.

As putea spune ca e posibil sa fi dezactivat faza cu 3 degete, inca de cand am instalat driverul, tocmai pentru ca nu m-a interesat feature-u asta din Win10, dar nu-s sigur, ca memoria mea functioneaza aiurea.

LE: Mda, aparent la mine nu merge deloc feature asta nou din Windows. Am multi-finger gesture la touchpad, dar pentru alte prostii. Posibil driver nepotrivit. In fine, ma pot lipsi de el. Pot folosi Win+Tab.

Edited July 18, 2015 by AlStar

[Cheater]

Am testat si eu cu buildul 10130 (in vmware fushion), imi apare login screen dupa gestul cu 3 degete, probabil ca s-a rezolvat deja.

[em]

Am testat si eu cu buildul 10130 (in vmware fushion), imi apare login screen dupa gestul cu 3 degete, probabil ca s-a rezolvat deja.

Mi-a venit un mic security update. KB3074663 sau KB3074665 pare c? rezolv? problema. Nu se mai reproduce.

Edited July 18, 2015 by em