Hitting SHIFT+F10 during Windows 10 upgrade is enough to elevate the user to SYSTEM

A really dumb (but serious) Windows 10 vulnerability


On Mikko Hypponen’s twitter account i’ve read this twit:

The linked article on Sami Laiho’s website exposes a vulnerability as simple as serious: if you hit SHIFT+F10 during Windows upgrade process you can obtain a command prompt with SYSTEM privileges.

The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.

In the original article Sami has also published a video demonstration of the vulnerability, and closes with:

The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software. It’s just a crazy bug I would say 🙁

References

http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html

Comments