Reminds me of this classic Windows 98 (I believe) login screen bypass. <a href="https://i.imgur.com/rG0p0b2.gif" rel="nofollow">https://i.imgur.com/rG0p0b2.gif</a>
Microsoft's fix seems to have only fixed the sticky-keys dialog [1], apparently by just removing the link to the settings when you are in a lockscreen. So if you manage to find another way to launch the settings from a lockscreen everything else should still work as described.<p>1: <a href="https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-1398" rel="nofollow">https://msrc.microsoft.com/update-guide/en-us/vulnerability/...</a>
Related: yesterday's post by <i>jwz</i>, "I told you so, 2021 edition" [1], which discusses security bypass in linux screensavers.<p>[1] <a href="https://news.ycombinator.com/item?id=25801693" rel="nofollow">https://news.ycombinator.com/item?id=25801693</a>
I really wish there was video of the entire process start to finish.<p>This part in particular seems like it would be incredibly amusing right before the account gets added;<p>> <i>It is easy to see when the loop is running because the Narrator will move its focus box and say “access denied” every second.</i><p>This truly is Hollywood style hacking made real.
This is not a BitLocker bypass. It's a Windows login screen bypass. The BitLocker login is before Windows ever boots. This describes a system where the user has ALREADY bypassed the BitLocker login and has advanced on to the Windows login screen.
What does this have to do with Bitlocker?<p>EDIT: i get it now, it plays a small part in the exploit chain because it doesn't correctly verify what it sets permissions on when automounting usb drives.
BTW: You can disable the "I forgot my password" thing completely on the login screen by setting this registry key to 0:<p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\NgcPin
I wonder if this was left on purpose for law enforcement or corporate spies and if there are more vulnerabilities like this. Seems like it's better to just stay with good old TC.
Reminds me of how hard it is to write a screensaver by jwz <a href="https://www.jwz.org/blog/2015/04/i-told-you-so-again/" rel="nofollow">https://www.jwz.org/blog/2015/04/i-told-you-so-again/</a> (and follow the links)
There are so many gotchas in computer security. Isn't there a way to verify that a simple algorithm can have only prespecified valid final states (aka {authenticated && allowed login}, {not authenticated && disallowed login})?
I have only encountered BitLocker on military computers. There BitLocker login occurs before Windows boots, like at the BIOS key entry, and has no options for forgot password.
> If the application has a manifest, then any .local files are ignored.<p>I suppose this does not hold true for the .local folder named that, apparently? I had not seen it documented before that it looks in that specially crafted dll subfolder (presumably using information from the manifest) to load a dll that is specified in one.