The method allows an attacker to gain unauthorized access to a user’s Windows session if he has physical access to a locked machine.
When a user leaves his computer (ex. during a lunch break), he should lock his session in order to prevent other people from doing actions on his behalf.
Some computers, mostly in corporate environments, are configured to play a flash animation as screensaver while the computer is locked. This configuration is done by specifying the path to a .scr file – which is actually a renamed executable obtained by compiling a swf. The following registry key specifies the path to this executable:
Bypassing the Lock screen
When the flash screensaver is running (played by Adobe Flash Player – which must already be installed on the system), the Windows Lock screen can be bypassed by following these three steps:
Step 1: Right click anywhere on the screen (without moving the mouse)
Step 2: Click on “Global Settings” -> “Advanced” -> “Trusted Location Settings” –> “Add” –> “Add File”
This will open a menu for choosing files.
Step 3: Right click on any folder -> “Open in new window”
Now you have a fully functional Explorer window running as the current user.
You can browse through the user’s files or open executables like:
C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE or C:\WINDOWS\System32\cmd.exe
How to remediate
The only method (that we know of) which remediates this vulnerability is to modify the code of the swf file in order to disable the whole right-click context menu. The method is described here and requires Adobe Flash Player 11.2 or higher.
Starting the swf with the parameter menu=false won’t remediate the problem because this leaves the “Global Settings” menu still enabled.
If the source code of the swf file cannot be modified, we believe that the flash screensaver should be disabled completely.
We showed a method of bypassing the Windows Lock screen authentication via the flash screensaver. This allows an attacker to gain access to a computer with the full rights of the currently logged on user – without affecting the actual state of the Windows session (no closed programs, no reboot).
This bypass method can be used in social engineering attacks when the attacker has physical access to locked computers from a target company.