Bypassing the Windows 8.1 Picture Password feature with a kernel debugger


Let me start this post by stating that the stuff described here is NOT a vulnerability. I just ported the idea of patching the function which validates the Windows logon password (the well-known msv1_0!MsvpPasswordValidate)Ā to the new, password-less login feature of Windows 8 / 8.1: Picture Password (does anyone use it at all? šŸ™‚ ).

It requires a kernel debugger, which grants full control overĀ the machine, so this is NOT a vulnerability.

The trickĀ of patching msv1_0!MsvpPasswordValidateĀ has been known at least since 2006, when Adam Boileau presented his work “Hit by a Bus: Physical Access Attacks with FirewireĀ [PDF]” duringĀ the Ruxcon 2006 conference; for a detailed explanation of how this trick works you can visitĀ the following blogpost: “Silly debugger tricks: Using KD to reset a forgotten administrator password“.

This trick of patching msv1_0!MsvpPasswordValidate in order to bypass the Windows login screen has been integrated into DMA attack tools like winlockpwn (by the very Adam Boileau), and more recently,Ā Inception.

By the way, if you are interested in attacks against these authentication schemes based on picture gestures, you can find the following links interesting:


Continue reading