«
»

Critical security flaw in JAWS

I have found a critical security flaw in the JAWS Screen reader that allows an attacker to gain full system-level access to

the machine. I have tested this on 32-bit Windows Vista
with JAWS 10.0.1154 and 32-bit Windows 7 with JAWS 11.0.611 Beta.

Instructions:

1. From the Windows logon screen with JAWS running, press insert+f2. Run JAWS Manager will appear.
2. Select Settings Packager, and press ok. Settings Packager will open.
3. From Settings Packager, go to File menu > Open, or press ctrl+o.
4. In the open dialog, type “%windir%\system32\*.exe” into the file name field (without the quotes) and press enter.
5. In the list of files, find cmd. Right click on it, or press the applications key and select Run as Administrator.
A system-level command prompt should open. To get out of it, type exit and press enter, then close the Settings Packager.

Update: audio demonstration available here.
 

Contact information:
tyler Spivey
Email: tspivey@pcdesk.net, PGP key: 0x048C58A4
Twitter: tspivey

Tags: ,

This entry was posted on October 16, 2009 at 10:16 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Critical security flaw in JAWS”

  1. Pranav Lal Says:
    October 16, 2009 at 12:56 pm | Reply

    A more responsible way to report such a flaw is to contact the manufacturor. All the same, many thanks for the notification. Does this also apply if the user is running jaws in an account without administrator privilages?

  2. Tyler Spivey Says:
    October 16, 2009 at 1:36 pm | Reply

    @Pranav Lal
    yes. It gives system-level access, which is higher than administrator; since the secure desktops and windows logon screens are running as system. From there, you can use net localgroup to add yourregular user account to the administrators group or do whatever you want.

  3. Travis Says:
    October 16, 2009 at 3:14 pm | Reply

    Since this is using the Windows standard open dialog (common dialog/control) this could easily be as much a Microsoft problem as a JAWS problem. The “Run as Administrator” should be asking for an admin password at all times in my opinion. Especially if the user isn’t logged in.

  4. Ricky Goines Says:
    October 16, 2009 at 4:50 pm | Reply

    I believe Microsoft should be the company to address this problem. Think I’ll get a Mac. Lol!

  5. serrebi Says:
    October 16, 2009 at 7:02 pm | Reply

    I’m glad you did the right thing and posted this for all to see.

  6. JAWS security flaw, round 2 « Tyler Spivey’s blog Says:
    October 19, 2009 at 12:28 pm | Reply

    […] Tyler Spivey’s blog Tyler Spivey’s Accessible Unix blog « Critical security flaw in JAWS […]

Leave a reply to serrebi Cancel reply