Summary
This affects Windows 10 and 11.
It was possible to access the NVDA python console from the lockscreen.
This exploit could only occur from the lock screen, not the secure sign-in screen where your password is entered.
NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.
Patch commit(s)
https://github.com/nvaccess/nvda-ghsa-585m-rpvv-93qg/commit/428622f954cce8018a08992d3dec5688ea316015
Limitations
The lock screen must be enabled.
This is the default in Windows.
Refer to workarounds section for disabling the lock screen.
Technical details
NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328.
This was under the assumption that the log viewer never shows up on the lock screen.
Proof of concept
- Run NVDA while logged in to Windows
- Activate the speech viewer.
- Lock the machine with
Windows+L
alt+tab
to the speech viewer.
- Press
NVDA+f1
to bring up the log viewer.
- Press
control+s
.
- The Save As dialog should appear.
- Find
nvda.exe
, bring up the context menu, and select Open.
- NVDA restarts.
- Press
NVDA+n
, and activate the speech viewer.
alt+tab
back into the speech viewer.
- Open the NVDA menu.
- Open the Python console.
Indicators of compromise
Unknown
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
Using Windows Home
- Open the run dialog with
Windows+R
- Enter and run:
regedit
(may require administrative access)
- Navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
:
- "Personalization" may need to be created as a folder in "Windows".
- Open the context menu with
shift+f10
on the “Personalization” folder.
- Create a new
DWORD (32-bit)
value from the menu.
- Set the name to
NoLockScreen
- Set the value data to
1
Using Windows Professional
- Open the run dialog with
Windows+R
- Enter and run:
gpedit.msc
(may require administrative access)
- Using the “Local Group Policy Editor” window
- Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
- Enable "Do Not Display the Lock Screen"
- Confirm with
Windows+L
that the lock screen is skipped and Windows goes directly to the secure sign-on screen.
Timeline
- Reported mid September.
- Released to 2022.2.4 on September 29th
For more information
If you have any questions or comments about this advisory:
Summary
This affects Windows 10 and 11.
It was possible to access the NVDA python console from the lockscreen.
This exploit could only occur from the lock screen, not the secure sign-in screen where your password is entered.
NV Access strongly recommends disabling the lock screen.
Instructions to do this can be found in the workarounds section.
Patch commit(s)
https://github.com/nvaccess/nvda-ghsa-585m-rpvv-93qg/commit/428622f954cce8018a08992d3dec5688ea316015
Limitations
The lock screen must be enabled.
This is the default in Windows.
Refer to workarounds section for disabling the lock screen.
Technical details
NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328.
This was under the assumption that the log viewer never shows up on the lock screen.
Proof of concept
Windows+L
alt+tab
to the speech viewer.NVDA+f1
to bring up the log viewer.control+s
.nvda.exe
, bring up the context menu, and select Open.NVDA+n
, and activate the speech viewer.alt+tab
back into the speech viewer.Indicators of compromise
Unknown
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
Using Windows Home
Windows+R
regedit
(may require administrative access)Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
:shift+f10
on the “Personalization” folder.DWORD (32-bit)
value from the menu.NoLockScreen
1
Using Windows Professional
Windows+R
gpedit.msc
(may require administrative access)Windows+L
that the lock screen is skipped and Windows goes directly to the secure sign-on screen.Timeline
For more information
If you have any questions or comments about this advisory: