Vulnerability found in Windows 10 All Editions (x86 x64)[Also in Win8, 8.1]

Win 10 Vulnerability found in Windows 10 All Editions (x86 x64)

 

Author- BHABESH KUMAR DAS

Linkedin profile- wakeupbkd2503

Tested on- VMWare Player 14

POC-  Win10_1803_English_x64.iso(Official Website)

Youtube Videos Links-

video1

video2

video3

video4

 

HOW TO REPRODUCE –

  1. Start the machine by Power On/Off or Restart the VMWare machine.

 

123456891011121314151617181920212223242526272829

 

303132333435

7

 

363738394041424344454647484950

 

 

 

  1. Forcefully Power Off by power on/off button or again restart the vmware machine.

3.Wait for automatic repairing or recovery mode.

  1. Wait for automatic repairing or recovery mode.

5.Redirecting to repair or recovery mode.

 

  1. Click on “Advanced options”.

 

 

 

OR

hold “shift” button and Restart the machine. It will take less time to redirect repair or recovery mode.

 

 

 

 

 

 

 

7.Click on “Troubleshoot”.

 

8.Click on “Advanced options”

 

9.Click on “Command Prompt”.

 

 

 

 

 

 

 

 

  1. Command Prompt opened, then type “notepad.exe” to open notepad application with graphical interface.

11.Type “notepad.exe” on command prompt.

12.Graphical “notepad.exe” opened.

13.Go to  “File” tab and Open file location  or  Press Ctrl + O (short keys). After this step you’ll directly access or use the partition files.

  1. Go to “C” drive.

13.Open “Windows” folder.

 

 

14.Go to “System32” folder.

15.Change file of type into “All Files”.

 

 

16.Copy “cmd.exe”.

17.Paste here in “System32” folder.

 

 

18.Refresh to see pasted “cmd.exe-copy” file.

19.Here is that copied file.

 

 

  1. Change “sethc” file name into “sethc2” for backup file.

 

 

 

 

 

 

 

 

 

  1. Change “cmd” file name into “sethc”.
  2. All completed, now time restart the machine.

 

  1. Close all windows and restart the machine.

 

  1. Restarting the machine.

 

 

  1. Press “shift” button 7 times to open “Command Prompt”.

 

  1. Type “net user” to check users.

 

 

 

  1. Type “net user /add BHABESH Bkd25!@#$”

Example-  “net user /add <username> <userpassword>

 

 

 

28.Type “net user” to check user created  or not.

  1. After creating a user, Type “net localgroup administrators BHABESH /add” to allow admin access permission to user.
  2. Type “net user” to check an user creation confirmation.

31.Restart the machine.

 

  1. Showing an user in logon screen, just click on newly created user(BHABESH) and enter a password.

 

 

  1. Successfully login to new admin user and showing a welcome message.

 

 

 

 

 

See it’s a Windows 10 Pro.

 

Here both admin user access, but you can change the previous created user account type.

Go to control panel setting> user accounts> user accounts> change your account type> Admin> Standard > change account type..…

Here I’m changing an account type of previous admin user account to standard user. Also change the all access deny for previous main user account.

 

 

 

 

 

 

Now previous account is only a normal account type and limited access, also it can be delete.

Now, my created account is administrator and another one is a standard.

THANK YOU.

 

============================================================================

CONVERSATION BETWEEN MICROSOFT & ME(BKD) IN VIA GMAIL

============================================================================

REPORT TO MICROSOFT COMPANY: Critical Issue, Authentication Bypass, Root/Admin Privilege on Windows 10 Latest All Edition..

Inbox Mail(BHABESH KUMAR DAS)

Microsoft Security Response Center

1:45 AM (8 hours ago)

to me

Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). In general, MSRC does not consider issues that require physical access to be exploited as security vulnerabilities (immutable law #3 in the link below). If the issue allows for direct code execution bypassing the logon screen of a locked computer we may consider that a security vulnerability on a case-by-case basis. In addition, if the PoC requires elevated privileges to trigger, such as needing to be able to access and modify files in system32, this will not meet the bar. Further, publicly known and acknowledged reports such as modifying stickykeys/magnifier/etc to become cmd, would not meet the bar.

As such, this thread is being closed and no longer monitored.

If you believe this to be a misunderstanding of the report, submit a new email to secure@microsoft.com without a CRM number in the subject line. Please include:

Relevant information previously provided in your initial report

Detailed steps required to consistently reproduce the issue

Short explanation on how an attacker could use the information to exploit another user remotely

Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples

For more information on what qualifies as a security vulnerability please see the following:

‘Definition of a Security Vulnerability’

https://technet.microsoft.com/library/cc751383.aspx

“Ten Immutable Laws Of Security (Version 2.0)”

http://blogs.technet.com/b/rhalbheer/archive/2011/06/16/ten-immutable-laws-of-security-version-2-0.aspx

Regards,

Tina

MSRC

——————- Original Message ——————-

Hi Sir,

I have found some serious vulnerability on the latest

a version of Windows 10 pro, downloaded from your official Microsoft website.

Using this vulnerability anyone can crack password/access/create

admin account of MS Windows 8, 8.1, 10 (All Editions) without any tools or bootable USB/DVD.

Please look into this.

Please find the attached file below for POC.

Regards,

BHABESH KUMAR DAS

__________________________________________________________________________

Bhabesh Kumar Das <kd.bhabesh2503@gmail.com>

8:50 AM (1 hour ago)

to Microsoft

Hi Team,

Thanks for your quick response.

I read your two URL that demonstrate that my findings are not upto that mark to meet any recognition (HoF, Swag, Bug Bounty etc.)

I raised a concern for unauthorised access of the windows with system (highest) privilege.

Do you really think it is not a security risk? In our daily life we can have access so many windows laptop, the owner of that laptops have trust that their laptop has been protected by windows with strong encryption techniques. No one can enter without their password. But that become the most funny facts if any layman just go through my PoC. If I get any Apple laptop / Unix / Linux laptop, do you think that unauthorized access with system privilege can be achieved easily? The answer is “NO.”

If it is not a security issue, then why did you update that issue with proper security patch? I checked multiple times and found the issues got fixed.

You have Ten Immutable law, Fine. But you should calculate its risk as well.

Sometimes it is better to be a black hat rather than a white hat.

I am going to disclose this issue publicly.

To sell any windows product, please let the user know your ten immutable law of security. So that they should care their security themselves.

Have a great day.

Warms Regards,

BHABESH KUMAR DAS

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.