Bypassing the Windows Lock Screen

Most of us know that we should lock our computers when we step away from them. This will prevent any unauthorized users from gaining access to our files. Most companies have some sort of policy in regards to this, and many even automatically lock the screen after a set amount of time with no activity. In some cases, the computers are configured to lock and display a screen saver. In these cases, it may be possible for a local attacker to bypass the lock screen.

[Adrian] explains that the screen saver is configured via a registry key. The key contains the path to a .scr file, which will be played by the Adobe Flash Player when the screen saver is activated. When the victim locks their screen and steps away from the computer, an attacker can swoop in and defeat the lock screen with a few mouse clicks.

First the attacker will right-click anywhere on the screen. This opens a small menu. The attacker can then choose the “Global settings” menu option. From there, the attacker will click on “Advanced – Trusted Location Settings – Add – Add File”. This opens up the standard windows “Open” dialog that allows you to choose a file. All that is required at this point is to right-click on any folder and choose “Open in a new window”. This causes the folder to be opened in a normal Windows Explorer window, and from there it’s game over. This window can be used to open files and execute programs, all while the screen is still locked.

[Adrian] explains that the only remediation method he knows of is to modify the code in the .swf file to disable the right-click menu. The only other option is to completely disable the flash screen saver. This may be the safest option since the screen saver is most likely unnecessary.

Update: Thanks [Ryan] for pointing out some mistakes in our post. This exploit specifically targets screensavers that are flash-based, compiled into a .exe file, and then renamed with the .scr extension. The OP mentions these are most often used in corporate environments. The exploit doesn’t exist in the stock screensaver.

RGB Video Input Hack is a Master Hack for CRT Televisions

What’s shown on the screen above is about half-way through the process of hacking RGB video into a CRT television that’s not supposed to have it. The lettering is acting a bit like a layer mask, showing bits of the Super Mario Bros. start screen which is being injected from an original Famicom. [Michael J. Moffitt] figured out that he could patch his signals into the multiplexer which is responsible for overlaying the TV’s menu system. Obviously you can’t get your Mario on with this view, but the next step was as simple as finding the blanking pin and tying it 5V. Brilliant.

This particular hack is worthy of recognition. But read through [Michael’s] write up and it’s obvious that he knows the driver circuitry beyond the realm of normal curiosity. If you ever get stuck while trying to do something custom, we’d recommend pinging him with your questions (sorry [Michael] but with great knowledge comes great responsibility).


Built-in hex editor unlocks plasma TV features

[Nick] tipped us off about a guide to unlock extra features on Panasonic televisions. The hack works on the G10 models of plasma TVs and uses the service menu to gain access to the EEPROM memory. With a few quick steps you can change some data with a built in hex editor, unlocking several new settings menus, or bricking your entertainment centerpiece. We’ve seen some Samsung TV hacking in the past and hope that with increased processing power in today’s models we’ll someday see consumer TVs available with open-source firmware so that we can integrate of our favorite entertainment software.