TT-CSIRT – 448.16.08.25 – Windows Out-of-Box-Experience (OOBE) Exploit
Be advised, a new security vulnerability has been identified to exploit Windows Out-of-Box-Experience (OOBE) that bypasses existing protections, granting administrative command line access to Windows machines. The vulnerability allows low-privileged domain users to effectively gain local administrative access.
This technique works even when Microsoft’s recommended security measure, the DisableCMDRequest.tag file, is implemented to block the well-known Shift + F10 keyboard shortcut vulnerability, allowing unauthorized users to gain elevated privileges and create backdoor accounts on corporate devices.
How the Exploit Works
The method leverages the Win + R keyboard combination to open a hidden Run dialog box during the OOBE process. To execute the exploit, a specific sequence of actions must be performed:
- Open an accessibility tool, such as
Magnify.exe, to establish a window with proper focus. - Press
Win + Rto launch the Run dialog box, which will remain hidden in the background. - Use
Alt + Tabto cycle through the open windows until the hidden Run dialog box is selected.
The critical part of this vulnerability is that the Run dialog box operates under the temporary defaultuser0 account, which is created by Windows during OOBE with full local administrator privileges.
Once the Run dialog box is active, an attacker can type cmd.exe and press Ctrl + Shift + Enter to trigger a User Account Control (UAC) prompt for elevation. After the UAC prompt is accepted, a command prompt with administrative privileges opens, allowing the attacker to make system modifications, create new user accounts, or alter security settings.
Microsoft Response
This vulnerability poses significant security risks, particularly in enterprise environments where users can initiate device resets using Microsoft Intune Company Portal.
Microsoft has not addressed this security issue, since OOBE inherently runs in an administrative session, and leaving devices unattended during setup is equivalent to leaving machines unlocked. The company’s position treats this as an operational security concern rather than a software vulnerability requiring patching.
The primary mitigation strategy requires preventing users from accessing OOBE entirely by hiding the reset button in the Microsoft Intune admin center under Tenant administration > Customization and enable the Hide reset button on corporate Windows devices setting.
References
