The exploit has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. A article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
After that, the user can return to the workstation at a later time and press the SHIFT key five times (which normally invokes sticky keys) and an elevated command prompt is launched. From there, you can launch any process -- even Explorer -- and do anything you like as you would if you were logged on.
The exploit is currently unpatched, and appears to work in both Windows 7 and Windows Server 2008 R2. Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. Once in place, the hack is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.
It may seem like a trivial hack, but it has wide security implications if left unpatched. A malicious user could implement this on a workstation in the enterprise if they are disgruntled, and could come back later and copy files or destroy data from the login screen, despite their account being deactivated. It's worth noting, that if the user has disabled the Sticky Keys shortcut on their workstation previously, the hack will not work.
A previous exploit existed where Utility Manager could be replaced using a Live CD, but this exploit only requires 10 seconds in front of the machine and it is in place. Microsoft is yet to comment on the exploit, but we'll be reaching out to see if they're planning on patching this soon.
Update: This same hack works on Windows 8 Consumer Preview at time of writing.
