Tuesday, December 6, 2016

Every Windows 10 in-place Upgrade (even with SCCM) is a SEVERE Security risk PART II

So, 127000 blog reads and a week later I believe it's a good time to publish the episode II of this story. Please read these few points and then see how to apply this on SCCM managed machines as well.

First a few things:

  1. My bad, I used the wrong term that was used in previous Windows versions. The BitLocker is SUSPENDED not DISABLED like I said. The end result is of course the same but I do want to use the correct terms.
  2. Most comments say this is an old thing that was in Windows decades ago. Yes, the Shift+F10 feature has been there for ages and I've used it for troubleshooting for ages. That is why I knew to look for it. I found it first in the beta-version of Windows 10. After finding it I knew the first time it really was an issue was the time when people upgraded from Windows 8 to 8.1 as that was the first time the in-place upgrade was recommended and we had BitLocker. So in XP you could press Shift+F10 but so what, we didn't use it to bypass BitLocker (I actually played Solitaire with it just for fun) - so I don't think this is the same thing at all…
  3. What makes this a "bug" (again you have to give me some slack, I'm Finnish and English is not my first language. I speak a language where we log on to Windows using the local Administrator account name of JÄRJESTELMÄNVALVOJA). So let me rephrase, this is a "mistake" that Microsoft forgot this in the upgrade sequence as they know how to block it and have a feature for that.
  4. I categorize myself as a conceptual hacker. This means that I find and use holes that are not Zeroday attacks or 3rd party application issues but holes based on principles that I know to look for because I've studied the OS for over 20 years. I teach Windows Internals and always tell my students that the base knowledge on the OS is a requirement for both creative troubleshooting and taking care of security. How would you know what's bad if you don't know what's normal.
    1. You can find my training on http://PluralSight.com/ and http://win-fu.com/ Let me teach you to find this stuff as well :)
  5. LTSB. You don't have to agree with me on this. This was just my personal opinion. I did offer other choices as well like the not leaving computers unattended when they are upgrading. I currently plan on staying on LTSB until 2018 and the do an easy upgrade to CBB - If things are worked out to the level I want by then.
  6. Will there be a time when this all will be put to a test? Yes, Microsoft just declared 1607 as Current Branch for Business. This means that 1507 release will be out of support in a few months and we will get to test this in action ;) You can read more about this here: https://blogs.technet.microsoft.com/windowsitpro/2016/11/29/windows-10-1607-is-now-a-current-branch-for-business-cbb-release/
  7. I know the Immutable laws of security and I know the computer is not your computer anymore if someone has physical access to it. If it wasn't a case like this trust me I would have gotten a bounty on this from Microsoft ages ago. I still believe that this is an issue as if I don't do inplace upgrades I don't have this issue… Some people got upset that I called it "SEVERE"… Well if you ask me when a computers integrity protection and data protection fail by pressing two keys… Sorry, I just believe it's SEVERE - I will agree to disagree with you on this if you don't.
  8. I also saw some recommendations on using Linux to hack the box - Although Linux is Finnish and I like to promote it, you don't need Linux to hack Windows - It does so itself just fine as I show in the next video.

Now let's talk about the next "issue" here. My good friend Johan Arwidmark made an amazing job in building a bandage for the Shift+F10 to be blocked. It could be used by SCCM/MDT or any manual upgrade. Here is the link: http://deploymentresearch.com/Research/Post/567/Using-ConfigMgr-to-fix-the-Shift-F10-security-issue-for-Windows-10-inplace-upgrades This is what Microsoft will probably use to fix the hole in the first place as well.

Although this is great I guess some people didn't see the real problem in this whole issue. If the Shift+F10 is a "bug" or a "mistake" it can be easily fixed as we see. The real security issue is the suspending of BitLocker. The next video shows you how to use this against any system including SCCM/WSUS controlled machines. Again it uses the knowledge gained on Windows Internals classes. I also do Security Audits (hire me ;) ) and you can bet I will take this into my toolbox for myself when I have the next bank to break into ;) And yes it does require physical access still and yes I boot the machine from a bootable media so you can just glue the USB ports. I will then take the disk at correct point and move it to another machine or start playing with Linux. Anyway at the end of the day you are fighting against windmills.

And BTW I have a big issue to disclose that's totally unrelated to this and needs Microsoft's actions before I can talk about it so do enroll to my newsletter - like thousands of you already have: http://eepurl.com/F-GOj

And be sure to follow me on Twitter @samilaiho

Thanks for all the great feedback,