Let me start this post by stating that the stuff described here is NOT a vulnerability. I just ported the idea of patching the function which validates the Windows logon password (the well-known msv1_0!MsvpPasswordValidate) to the new, password-less login feature of Windows 8 / 8.1: Picture Password (does anyone use it at all? 🙂 ).
It requires a kernel debugger, which grants full control over the machine, so this is NOT a vulnerability.
The trick of patching msv1_0!MsvpPasswordValidate has been known at least since 2006, when Adam Boileau presented his work “Hit by a Bus: Physical Access Attacks with Firewire [PDF]” during the Ruxcon 2006 conference; for a detailed explanation of how this trick works you can visit the following blogpost: “Silly debugger tricks: Using KD to reset a forgotten administrator password“.
This trick of patching msv1_0!MsvpPasswordValidate in order to bypass the Windows login screen has been integrated into DMA attack tools like winlockpwn (by the very Adam Boileau), and more recently, Inception.
By the way, if you are interested in attacks against these authentication schemes based on picture gestures, you can find the following links interesting:
- “On the Security of Picture Gesture Authentication”, presented at Usenix Security 2013.
- Windows Picture Passwords – are they really as ‘easily crackable’ as everyone’s saying?”, blogpost from Sophos.