This message was sent to Microsoft (secure@microsoft.com)
L.S.,
I will try to describe a problem I found in the dutch Windows Vista Business with SP1 on a HP Compaq 6820s.
If powerbutton is configured to shut down the system when pressed, AND screensaver is active (one of de default screensavers), AND screensaver is password protected, AND a document is open and changed then the following will occur:
After pressing the powerbutton, the user comes in Windows, the application (can be Word) asks to save the document. If a user answers “Cancel” shutdownsequence is aborted and the user has full acces to the system as if he typed in a password after coming out of the screensaver.
I will try to describe a problem I found in the dutch Windows Vista Business with SP1 on a HP Compaq 6820s.
If powerbutton is configured to shut down the system when pressed, AND screensaver is active (one of de default screensavers), AND screensaver is password protected, AND a document is open and changed then the following will occur:
After pressing the powerbutton, the user comes in Windows, the application (can be Word) asks to save the document. If a user answers “Cancel” shutdownsequence is aborted and the user has full acces to the system as if he typed in a password after coming out of the screensaver.
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
Security leak (local break in) - Product and version that contains the bug
Found and tested on Windows Vista Business (Dutch) with SP1 - Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
Screensaver
Powerbutton - Step-by-step instructions to reproduce the issue on a fresh install
- Set screensaver and poweroptions as above (unfortunate in dutch)
-Open a document (Notepad, Word, UltraEdit, Excel). In fact it does not mather which application is used, as long the application sees if a document or file is changed and need to be saved.
- Wait until screensaver is active
- Press the powerbutton
- When the dialog appears with the question to save the document, press cancel and you have access in Vista.
- OR press Ctrl-Alt-Del and do whatever you want! - Proof-of-concept or exploit code
n/a - Impact of the issue, including how an attacker could exploit the issue.
The impact is huge! As an IT professional with lots of userrights etc. it is most important to lock the computer when walking away from the workplace. In this way any user can gain access to resources and systems they are not authorized to!