Skip to content

Python Console from the lockscreen and object navigation to escape the lockscreen

Critical
feerrenrut published GHSA-rmq3-vvhq-gp32 Aug 18, 2022

Software

nvda

Affected versions

<2022.2.1

Patched versions

2022.2.1

Description

Summary

This affects Windows 10 and 11.
It was possible to use NVDA's object navigation to read content on the desktop from the lockscreen.
It was also possible to run the NVDA python console from the lockscreen.
These exploits could only occur from the lock screen, not the secure sign-in screen where your password is entered.

NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.

The advisory is being made public before the patch is available for install, the rationale for this decision:

  • The nature of the changes required to address this security issue have the potential for regressions which result in the inability for users to unlock / gain access to their system. The patch will go through an alpha testing phase before being included in a public release.
  • The existence of a complete, and easy to implement work-around by disabling the lock screen.

Patch commit(s)

Merged to 2022.2 rc: d4de238

Limitations

Lockscreen must be enabled. This is the default in Windows.

Technical details

The lock screen (LockApp.exe) is not a secure screen - it is the screen before the sign-in screen.
When a user is already logged in, and locks the screen, the lockscreen runs on user profile.
Windows allows object navigation and access to the desktop, therefore NVDA must detect that the lock screen is active.

There is no function you can call to determine whether the workstation is locked. To receive notification when the user logs in, use the WTSRegisterSessionNotification function to receive WM_WTSSESSION_CHANGE messages. You can use session notifications to track the desktop state so you know whether it is possible to interact with the user.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-lockworkstation

In NVDA 2022.2 and prior, NVDA detected the lockscreen based on if it is the foreground process.
Unfortunately this is unreliable, as other processes may become the foreground from the lockscreen.
Instead NVDA should track the desktop state via session notifications.

In some cases, NVDA would process objects from behind the lock screen.
This leaked information via speech/braille.

Proof of concepts

Escape the lock-up screen via the Exit window

  1. Press Windows+L to lock up the computer
  2. Press Windows+= to start the Magnifier
  3. alt+tab to the Magnifier
  4. Press NVDA+n
  5. With object navigation, got to "Exit" item.
  6. Press NVDA+numpadEnter to activate, this should open the "Exit NVDA dialog"
  7. Repeat steps 3 to 6
    Note: steps 3 to 6 need to be executed two times so that the navigator object remains in the Exit window.
  8. Press NVDA+numpad8 to move navigator object at the main Exit window level
  9. Press NVDA+6 to move to next window and begin to explore the windows of the person who has locked up the workstation.

Executing commands in Python console from lockscreen

  1. Press Windows+L to lock up the computer
  2. Press Windows+= to start the Magnifier
  3. alt+tab to the Magnifier
  4. Press NVDA+n
  5. With mouse, select "Tools", then "Python console"

Escape the lock-up screen via Windows notification:
Unknown steps to reproduce - it is expected that escaping via a Windows notification is the same method as magnifier - the notification takes over the foreground process and NVDA believes the LockApp is no longer running.

Indicators of compromise

Unknown

Workarounds

You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:

Using Windows Home

  1. Open the run dialog with Windows+R
  2. Enter and run: regedit (may require administrative access)
  3. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization:
    • "Personalization" may need to be created as a folder in "Windows".
  4. Open the context menu with shift+f10 on the “Personalization” folder.
  5. Create a new DWORD (32-bit) value from the menu.
    • Set the name to NoLockScreen
    • Set the value data to 1

Using Windows Professional

  1. Open the run dialog with Windows+R
  2. Enter and run: gpedit.msc (may require administrative access)
  3. Using the “Local Group Policy Editor” window
    • Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
    • Enable "Do Not Display the Lock Screen"
  4. Confirm with Windows+L that the lock screen is skipped and Windows goes directly to the secure sign-on screen.

Timeline

  • Late July - Disclosed.
  • Early August - Patch prepared.
  • 18/8 - Patch released to alpha, for wider testing before release, advisory made public.
  • Planned release: Late August - Patch released to 2022.2.1 and 2022.3beta3

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

No CWEs

Credits