A newly documented vulnerability in Windows’ Out-of-Box-Experience (OOBE) allows users to bypass security restrictions and gain full administrative access to command prompt functionality, even when Microsoft’s intended protective measures are in place.
Security researchers have identified an alternative method to exploit Windows OOBE that circumvents the well-known Shift+F10 keyboard shortcut restrictions.
The vulnerability enables users to spawn an elevated command shell with administrative privileges through the defaultuser0 account, which maintains membership in the local Administrators group during the initial setup process.
The Traditional Attack Vector
The Shift+F10 keyboard shortcut has long been recognized as a security concern within OOBE environments.
This shortcut traditionally allowed users to access an elevated command prompt during the initial Windows setup phase.
Microsoft addressed this vulnerability by enabling administrators to disable the shortcut through placement of an empty file named DisableCMDRequest.tag in the C:WindowsSetupScripts directory.
New Exploitation Method Discovered
However, researchers have now demonstrated that the protective measure proves insufficient. The newly identified attack vector utilizes the Windows+R keyboard combination to launch the Run dialog, bypassing the Shift+F10 restrictions entirely.
The exploitation process requires users to first open an accessibility tool such as Magnifier (Magnify.exe) to establish window focus.
Subsequently, pressing Windows+R spawns the Run dialog in the background. While initially invisible, users can reveal the dialog using Alt+Tab to cycle through available windows.
Once the Run dialog gains focus, attackers can type cmd.exe and press Ctrl+Shift+Enter to trigger an elevation prompt.
Accepting the User Account Control (UAC) prompt opens an elevated command prompt with full administrative privileges, operating under the defaultuser0 context.
This vulnerability presents significant security risks, particularly in corporate environments where users might exploit push-button reset functionality through Microsoft Intune Company Portal.
Malicious actors could create backdoor accounts, modify system configurations, or establish persistent access mechanisms.
Microsoft has classified this behavior as a “won’t-fix” issue, stating that OOBE operates within an administrative session by design, and leaving devices unattended during setup is equivalent to maintaining an unlocked machine.
Organizations can protect against exploitation by modifying Intune policies to hide the reset button on corporate Windows devices.
Administrators should navigate to the Microsoft Intune admin center, select Tenant administration, then Customization, and ensure the “Hide reset button on corporate Windows devices” option is enabled.
The discovery underscores the inherent security challenges of OOBE’s privileged execution context and highlights the importance of controlling user access to device reset functionality in managed environments.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
