Python console access via "forgot my PIN" reset screen

Summary

This affects Windows 10 and 11.
It was possible for an unauthenticated user to access the NVDA python console and get access to a temporary user desktop.
This exploit could only occur:

when updating/installing Windows screen (Out of Box Experience - OOBE)
on the "forgot my PIN" reset screen

These screens run on a temporary user desktop.

Patch commit

#14416

Limitations

None

Technical details

The "forgot my PIN" screen and OOBE were previously not considered security, and assumed to run on the secure desktop in secure mode. In Windows 10 and 11, these screens run on a temporary locked desktop, which is indistinguishable from the Windows lock screen. As such they should be handled in the same manner as the Windows lock screen, and prevent access.

Proof of concept

From the secure sign-in screen.

Press "I forgot my PIN".
Use object navigation to get from the Microsoft Account Window to the Notification Chevron.
Enter the overflow notifications area.
Find NVDA, press NVDA+enter, route the mouse and click.
Press t and p.
The NVDA Python Console appears.

Indicators of compromise

Unknown

Workarounds

Unknown

Timeline

Reported mid November 2022
Fix released late December 2022 in 2022.3.3

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Python console access via "forgot my PIN" reset screen

Package

Affected versions

Patched versions

Description

Summary

Patch commit

Limitations

Technical details

Proof of concept

Indicators of compromise

Workarounds

Timeline

For more information

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits