Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows UAC Bypass Permits Code Execution (threatpost.com)

Posted by BeauHD on from the inside-job dept.

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

2 of 79 comments (clear)

  1. Not quite right, but it's stupid anyhow. by cbhacking · · Score: 1, Interesting

    Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat. Of course, in this case, it's just enabled by a really moronic default that Microsoft added to UAC in Win7 (and has persisted since), which auto-elevates some "trusted" Windows binaries (like eventvwr.exe). If you remove that particular stupidity (in the UAC control panel, move the slider all the way up to "Always Notify"), this attack (and the long, long list of similar things, many known for years, like it) won't work.

    --
    There's no place I could be, since I've found Serenity...
  2. Re:In other news... by ruir · · Score: 4, Interesting

    I have yet to understand if cloudfare captchas are there to secure their service or to force us to downgrade our security, activating Javascript. It is a pity, because I had a very nice opinion of Cloudfare and recommend it several times before finding about that.