Bypassing the Windows 8.1 Picture Password feature with a kernel debugger


Let me start this post by stating that the stuff described here is NOT a vulnerability. I just ported the idea of patching the function which validates the Windows logon password (the well-known msv1_0!MsvpPasswordValidate)┬áto the new, password-less login feature of Windows 8 / 8.1: Picture Password (does anyone use it at all? ­čÖé ).

It requires a kernel debugger, which grants full control over the machine, so this is NOT a vulnerability.

The trick┬áof patching msv1_0!MsvpPasswordValidate┬áhas been known at least since 2006, when Adam Boileau presented his work “Hit by a Bus: Physical Access Attacks with Firewire┬á[PDF]” during┬áthe Ruxcon 2006 conference; for a detailed explanation of how this trick works you can visit┬áthe following blogpost: “Silly debugger tricks: Using KD to reset a forgotten administrator password“.

This trick of patching msv1_0!MsvpPasswordValidate in order to bypass the Windows login screen has been integrated into DMA attack tools like winlockpwn (by the very Adam Boileau), and more recently, Inception.

By the way, if you are interested in attacks against these authentication schemes based on picture gestures, you can find the following links interesting:


Continue reading