Skip to content

Python console available on lock screen via log viewer

Critical
feerrenrut published GHSA-585m-rpvv-93qg Oct 3, 2022

Software

nvda

Affected versions

<2022.2.3

Patched versions

2022.2.4

Description

Summary

This affects Windows 10 and 11.
It was possible to access the NVDA python console from the lockscreen.
This exploit could only occur from the lock screen, not the secure sign-in screen where your password is entered.

NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.

Patch commit(s)

https://github.com/nvaccess/nvda-ghsa-585m-rpvv-93qg/commit/428622f954cce8018a08992d3dec5688ea316015

Limitations

The lock screen must be enabled.
This is the default in Windows.
Refer to workarounds section for disabling the lock screen.

Technical details

NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328.
This was under the assumption that the log viewer never shows up on the lock screen.

Proof of concept

  1. Run NVDA while logged in to Windows
  2. Activate the speech viewer.
  3. Lock the machine with Windows+L
  4. alt+tab to the speech viewer.
  5. Press NVDA+f1 to bring up the log viewer.
  6. Press control+s.
  7. The Save As dialog should appear.
  8. Find nvda.exe, bring up the context menu, and select Open.
  9. NVDA restarts.
  10. Press NVDA+n, and activate the speech viewer.
  11. alt+tab back into the speech viewer.
  12. Open the NVDA menu.
  13. Open the Python console.

Indicators of compromise

Unknown

Workarounds

You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:

Using Windows Home

  1. Open the run dialog with Windows+R
  2. Enter and run: regedit (may require administrative access)
  3. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization:
    • "Personalization" may need to be created as a folder in "Windows".
  4. Open the context menu with shift+f10 on the “Personalization” folder.
  5. Create a new DWORD (32-bit) value from the menu.
    • Set the name to NoLockScreen
    • Set the value data to 1

Using Windows Professional

  1. Open the run dialog with Windows+R
  2. Enter and run: gpedit.msc (may require administrative access)
  3. Using the “Local Group Policy Editor” window
    • Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
    • Enable "Do Not Display the Lock Screen"
  4. Confirm with Windows+L that the lock screen is skipped and Windows goes directly to the secure sign-on screen.

Timeline

  • Reported mid September.
  • Released to 2022.2.4 on September 29th

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

No CWEs

Credits