Win 10 Vulnerability found in Windows 10 All Editions (x86 x64)
Author- BHABESH KUMAR DAS
Linkedin profile- wakeupbkd2503
Tested on- VMWare Player 14
Youtube Videos Links-
HOW TO REPRODUCE –
- Start the machine by Power On/Off or Restart the VMWare machine.
- Forcefully Power Off by power on/off button or again restart the vmware machine.
3.Wait for automatic repairing or recovery mode.
- Wait for automatic repairing or recovery mode.
5.Redirecting to repair or recovery mode.
- Click on “Advanced options”.
hold “shift” button and Restart the machine. It will take less time to redirect repair or recovery mode.
7.Click on “Troubleshoot”.
8.Click on “Advanced options”
9.Click on “Command Prompt”.
- Command Prompt opened, then type “notepad.exe” to open notepad application with graphical interface.
11.Type “notepad.exe” on command prompt.
12.Graphical “notepad.exe” opened.
13.Go to “File” tab and Open file location or Press Ctrl + O (short keys). After this step you’ll directly access or use the partition files.
- Go to “C” drive.
13.Open “Windows” folder.
14.Go to “System32” folder.
15.Change file of type into “All Files”.
17.Paste here in “System32” folder.
18.Refresh to see pasted “cmd.exe-copy” file.
19.Here is that copied file.
- Change “sethc” file name into “sethc2” for backup file.
- Change “cmd” file name into “sethc”.
- All completed, now time restart the machine.
- Close all windows and restart the machine.
- Restarting the machine.
- Press “shift” button 7 times to open “Command Prompt”.
- Type “net user” to check users.
- Type “net user /add BHABESH Bkd25!@#$”
Example- “net user /add <username> <userpassword>
28.Type “net user” to check user created or not.
- After creating a user, Type “net localgroup administrators BHABESH /add” to allow admin access permission to user.
- Type “net user” to check an user creation confirmation.
31.Restart the machine.
- Showing an user in logon screen, just click on newly created user(BHABESH) and enter a password.
- Successfully login to new admin user and showing a welcome message.
See it’s a Windows 10 Pro.
Here both admin user access, but you can change the previous created user account type.
Go to control panel setting> user accounts> user accounts> change your account type> Admin> Standard > change account type..…
Here I’m changing an account type of previous admin user account to standard user. Also change the all access deny for previous main user account.
Now previous account is only a normal account type and limited access, also it can be delete.
Now, my created account is administrator and another one is a standard.
CONVERSATION BETWEEN MICROSOFT & ME(BKD) IN VIA GMAIL
REPORT TO MICROSOFT COMPANY: Critical Issue, Authentication Bypass, Root/Admin Privilege on Windows 10 Latest All Edition..
Inbox Mail(BHABESH KUMAR DAS)
Microsoft Security Response Center
1:45 AM (8 hours ago)
Thank you for contacting the Microsoft Security Response Center (MSRC). In general, MSRC does not consider issues that require physical access to be exploited as security vulnerabilities (immutable law #3 in the link below). If the issue allows for direct code execution bypassing the logon screen of a locked computer we may consider that a security vulnerability on a case-by-case basis. In addition, if the PoC requires elevated privileges to trigger, such as needing to be able to access and modify files in system32, this will not meet the bar. Further, publicly known and acknowledged reports such as modifying stickykeys/magnifier/etc to become cmd, would not meet the bar.
As such, this thread is being closed and no longer monitored.
If you believe this to be a misunderstanding of the report, submit a new email to email@example.com without a CRM number in the subject line. Please include:
Relevant information previously provided in your initial report
Detailed steps required to consistently reproduce the issue
Short explanation on how an attacker could use the information to exploit another user remotely
Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples
For more information on what qualifies as a security vulnerability please see the following:
‘Definition of a Security Vulnerability’
“Ten Immutable Laws Of Security (Version 2.0)”
——————- Original Message ——————-
I have found some serious vulnerability on the latest
a version of Windows 10 pro, downloaded from your official Microsoft website.
Using this vulnerability anyone can crack password/access/create
admin account of MS Windows 8, 8.1, 10 (All Editions) without any tools or bootable USB/DVD.
Please look into this.
Please find the attached file below for POC.
BHABESH KUMAR DAS
Bhabesh Kumar Das <firstname.lastname@example.org>
8:50 AM (1 hour ago)
Thanks for your quick response.
I read your two URL that demonstrate that my findings are not upto that mark to meet any recognition (HoF, Swag, Bug Bounty etc.)
I raised a concern for unauthorised access of the windows with system (highest) privilege.
Do you really think it is not a security risk? In our daily life we can have access so many windows laptop, the owner of that laptops have trust that their laptop has been protected by windows with strong encryption techniques. No one can enter without their password. But that become the most funny facts if any layman just go through my PoC. If I get any Apple laptop / Unix / Linux laptop, do you think that unauthorized access with system privilege can be achieved easily? The answer is “NO.”
If it is not a security issue, then why did you update that issue with proper security patch? I checked multiple times and found the issues got fixed.
You have Ten Immutable law, Fine. But you should calculate its risk as well.
Sometimes it is better to be a black hat rather than a white hat.
I am going to disclose this issue publicly.
To sell any windows product, please let the user know your ten immutable law of security. So that they should care their security themselves.
Have a great day.
BHABESH KUMAR DAS