Summary
This affects Windows 10 and 11.
It was possible to use NVDA's object navigation to read content on the desktop from the lockscreen.
It was also possible to run the NVDA python console from the lockscreen.
These exploits could only occur from the lock screen, not the secure sign-in screen where your password is entered.
NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.
The advisory is being made public before the patch is available for install, the rationale for this decision:
- The nature of the changes required to address this security issue have the potential for regressions which result in the inability for users to unlock / gain access to their system. The patch will go through an alpha testing phase before being included in a public release.
- The existence of a complete, and easy to implement work-around by disabling the lock screen.
Patch commit(s)
Merged to 2022.2 rc: d4de238
Limitations
Lockscreen must be enabled. This is the default in Windows.
Technical details
The lock screen (LockApp.exe) is not a secure screen - it is the screen before the sign-in screen.
When a user is already logged in, and locks the screen, the lockscreen runs on user profile.
Windows allows object navigation and access to the desktop, therefore NVDA must detect that the lock screen is active.
There is no function you can call to determine whether the workstation is locked. To receive notification when the user logs in, use the WTSRegisterSessionNotification function to receive WM_WTSSESSION_CHANGE messages. You can use session notifications to track the desktop state so you know whether it is possible to interact with the user.
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-lockworkstation
In NVDA 2022.2 and prior, NVDA detected the lockscreen based on if it is the foreground process.
Unfortunately this is unreliable, as other processes may become the foreground from the lockscreen.
Instead NVDA should track the desktop state via session notifications.
In some cases, NVDA would process objects from behind the lock screen.
This leaked information via speech/braille.
Proof of concepts
Escape the lock-up screen via the Exit window
- Press
Windows+L to lock up the computer
- Press
Windows+= to start the Magnifier
alt+tab to the Magnifier- Press
NVDA+n
- With object navigation, got to "Exit" item.
- Press
NVDA+numpadEnter to activate, this should open the "Exit NVDA dialog"
- Repeat steps 3 to 6
Note: steps 3 to 6 need to be executed two times so that the navigator object remains in the Exit window.
- Press
NVDA+numpad8 to move navigator object at the main Exit window level
- Press
NVDA+6 to move to next window and begin to explore the windows of the person who has locked up the workstation.
Executing commands in Python console from lockscreen
- Press
Windows+L to lock up the computer
- Press
Windows+= to start the Magnifier
alt+tab to the Magnifier- Press
NVDA+n
- With mouse, select "Tools", then "Python console"
Escape the lock-up screen via Windows notification:
Unknown steps to reproduce - it is expected that escaping via a Windows notification is the same method as magnifier - the notification takes over the foreground process and NVDA believes the LockApp is no longer running.
Indicators of compromise
Unknown
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
Using Windows Home
- Open the run dialog with
Windows+R
- Enter and run:
regedit (may require administrative access)
- Navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization:
- "Personalization" may need to be created as a folder in "Windows".
- Open the context menu with
shift+f10 on the “Personalization” folder.
- Create a new
DWORD (32-bit) value from the menu.
- Set the name to
NoLockScreen
- Set the value data to
1
Using Windows Professional
- Open the run dialog with
Windows+R
- Enter and run:
gpedit.msc (may require administrative access)
- Using the “Local Group Policy Editor” window
- Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
- Enable "Do Not Display the Lock Screen"
- Confirm with
Windows+L that the lock screen is skipped and Windows goes directly to the secure sign-on screen.
Timeline
- Late July - Disclosed.
- Early August - Patch prepared.
- 18/8 - Patch released to alpha, for wider testing before release, advisory made public.
- Planned release: Late August - Patch released to 2022.2.1 and 2022.3beta3
For more information
If you have any questions or comments about this advisory:
CyrilleB79 Analyst
Summary
This affects Windows 10 and 11.
It was possible to use NVDA's object navigation to read content on the desktop from the lockscreen.
It was also possible to run the NVDA python console from the lockscreen.
These exploits could only occur from the lock screen, not the secure sign-in screen where your password is entered.
NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.
The advisory is being made public before the patch is available for install, the rationale for this decision:
Patch commit(s)
Merged to 2022.2 rc: d4de238
Limitations
Lockscreen must be enabled. This is the default in Windows.
Technical details
The lock screen (LockApp.exe) is not a secure screen - it is the screen before the sign-in screen.
When a user is already logged in, and locks the screen, the lockscreen runs on user profile.
Windows allows object navigation and access to the desktop, therefore NVDA must detect that the lock screen is active.
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-lockworkstation
In NVDA 2022.2 and prior, NVDA detected the lockscreen based on if it is the foreground process.
Unfortunately this is unreliable, as other processes may become the foreground from the lockscreen.
Instead NVDA should track the desktop state via session notifications.
In some cases, NVDA would process objects from behind the lock screen.
This leaked information via speech/braille.
Proof of concepts
Escape the lock-up screen via the Exit window
Windows+Lto lock up the computerWindows+=to start the Magnifieralt+tabto the MagnifierNVDA+nNVDA+numpadEnterto activate, this should open the "Exit NVDA dialog"Note: steps 3 to 6 need to be executed two times so that the navigator object remains in the Exit window.
NVDA+numpad8to move navigator object at the main Exit window levelNVDA+6to move to next window and begin to explore the windows of the person who has locked up the workstation.Executing commands in Python console from lockscreen
Windows+Lto lock up the computerWindows+=to start the Magnifieralt+tabto the MagnifierNVDA+nEscape the lock-up screen via Windows notification:
Unknown steps to reproduce - it is expected that escaping via a Windows notification is the same method as magnifier - the notification takes over the foreground process and NVDA believes the LockApp is no longer running.
Indicators of compromise
Unknown
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
Using Windows Home
Windows+Rregedit(may require administrative access)Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization:shift+f10on the “Personalization” folder.DWORD (32-bit)value from the menu.NoLockScreen1Using Windows Professional
Windows+Rgpedit.msc(may require administrative access)Windows+Lthat the lock screen is skipped and Windows goes directly to the secure sign-on screen.Timeline
For more information
If you have any questions or comments about this advisory: