Capturing Passwords into the Secure Desktop
Date: August 2014
Publication: Passwords14 Las Vegas
Source: Currently no known Internet copy of paper.
Abstract or Summary:
The Secure Desktop is a feature of Windows API that creates a separated desktop to run programs/processes and this way not allowing processes and programs running in other desktops to capture keystrokes or screen in this desktop. The Secure Desktopís primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running as the Userís privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain. Because of the main feature provided by Secure Desktop some password protector softwares like Password1 and Keepass are developed using the secure desktop feature to unlock the password vault trying avoid malwares to capture the Master Password.
But like every feature, if isn't well implemented it can provide a fake security sensation and even if the application is running in a secure desktop, using some tricks an attacker is able to "escape the sandbox" provided by secure desktop and run remote programs/processes in the secure desktop of those application that will lead an attacker to interact with the user input and capture what is typed.
The main goal of this talk is present some real world examples that uses secure desktop and show how to sniff the keystrokes or capture screen in the secured desktops bypassing the main feature of windows secure desktop utilizing a tool developed by us. Also, the attacking scenario is any application that utilizes the Desktop objects from the Windows API to generate another desktop for executing itself running under any Windows OS, to protect against keyloggers.
PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=pEHrwR7WyyA