Hitting SHIFT+F10 during Windows 10 upgrade is enough to elevate the user to SYSTEM
A really dumb (but serious) Windows 10 vulnerability
On Mikko Hypponen’s twitter account i’ve read this twit:
[embed]https://twitter.com/mikko/status/803313343981350917[/embed]
The linked article on Sami Laiho’s website exposes a vulnerability as simple as serious: if you hit SHIFT+F10 during Windows upgrade process you can obtain a command prompt with SYSTEM privileges.
The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.
In the original article Sami has also published a video demonstration of the vulnerability, and closes with:
The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software. It’s just a crazy bug I would say :(
References
[embed]http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html[/embed]