Windows 7 SP1 Local Access SYSTEM Compromise

`##############################################################################################  
# Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]  
# Vendor: Microsoft  
# Affected Software: Windows 7 SP1 (and probably other)  
# Title: Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required  
# See also: http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html  
##############################################################################################  
  
Just wanted to share with you the below, which I have already communicated with  
Microsoft - according to MSRC team "An attacker with unrestricted physical   
access can certainly manipulate a system in multiple ways. This is not   
something we consider a security vulnerability." thus no CVE "Computer owners  
should provide for physical security of systems as part of best practices.   
There is more discussion of physical access in the "10 Immutable Laws   
of Security" (http://technet.microsoft.com/en-us/library/hh278941.aspx)   
under Law #3".  
  
The scenario is as follows:  
  
1. Windows 7 SP1, and  
2. Workstation with BIOS settings to restrict boot up from CD, and  
3. Workstation joined in Windows Active Directory or Standalone  
  
By forcing the machine to boot or shutdown abnormally (eg pressing the   
ctl+alt+del during bootup or press the power button (kill) during shutdown)  
Windows will enter the "Windows Error Recovery" menu asking us whether we  
wish to "Launch startup Repair (recommended)" or "Start Windows Normally"  
  
Select the "Launch Startup Repair (recommended)"  
  
Recovery process will display a "Windows is loading files...." message,   
then after a while we enter the "Startup Repair" process (graphical   
interface)  
A message might appear asking you if you want to "Restore your computer   
using System Restore", select Cancel, if it does.  
Shortly, a new message box will come up prompting us "Send information   
about the problem (recommended)" or "Don't send" and at the bottom of   
this dialog box the option with label "View problem details" exist.   
Click on "View problem details", you will get information such as   
"Problem signature" and more.  
  
Note that at the very bottom of this textarea a link exists which points   
to the X drive (X:\windows\system32\en-US\erofflps.txt)  
  
Clicking on the link; Notepad launches  
  
From there, one can go to File | Open view all contents of the C/D/X/etx   
drive (c:\documents and settings\\* and any other drive available) copy   
files to/from different locations/drives, create files, launch cmd.exe,   
backdoor Windows etc.  
  
Through ms-dos prompt we noticed we had been granted with   
"nt authority\system" privileges which makes sense having so, to perform  
the recovery operation, but it's too easily for anyone to abuse them   
providing he has casual physical access (eg in environments such as   
libraries, universities, offices, reception front desks etc; I will   
leave your imagination from this point to work:)  
  
As probably others may agree with me, "nt authority\system" access should  
not be so easy given (or acquired by default, design, whatever, name it),  
at a minimum a password prompt or other control should exist to prevent  
the ownage.  
`