Windows UAC Bypass Permits Code Execution (threatpost.com)

← Back to Stories (view on slashdot.org)

Windows UAC Bypass Permits Code Execution (threatpost.com)

Posted by BeauHD on Tuesday August 16, 2016 @09:30AM from the inside-job dept.

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

39 of 79 comments (clear)

Min score:

Reason:

Sort:

Well duh by fisted · 2016-08-16 09:31 · Score: 2

Easier to just rely on the luser to click "Allow" when the UAC prompt pops up.

--
CLI paste? paste.pr0.tips!
1. Re:Well duh by The-Ixian · 2016-08-17 01:14 · Score: 1
  
  Doesn't elevation in Linux just use sudo?
  If so, all you need to do is visudo and add the NOPASSWD flag to the appropriate match rule.
  
  --
  My eyes reflect the stars and a smile lights up my face.
Re:In other news... by A10Mechanic · 2016-08-16 09:49 · Score: 1

Never attribute to malice that which may be explained by incompetence. (it's usually the latter)
Am I reading this right? by tomhath · 2016-08-16 09:51 · Score: 4, Informative

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action
So the attacker already pwns the machine. This is a threat?
1. Re:Am I reading this right? by Anonymous Coward · 2016-08-16 09:54 · Score: 1
  
  STFU. We're trying to blow shit out of proportion here!
2. Re:Am i reading this right? by cbhacking · 2016-08-16 12:36 · Score: 1
  
  No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.
  
  --
  There's no place I could be, since I've found Serenity...
3. Re:Am i reading this right? by hyperar · 2016-08-16 12:59 · Score: 1
  
  No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.
  
  An attacker would already need to be on the machine to use this technique
  That pretty much is physical access. Not to mention that we're talking about a improperly configured environment. Nevertheless, it is a vulnerability that must be addressed and Microsoft's response is unacceptable. P.S.: I'm pretty sure that UAC doesn't allow you to make changes without being notified by default.
4. Re:Am I reading this right? by The-Ixian · 2016-08-17 01:21 · Score: 1
  
  All this exploit does is remove the "are you sure?" prompt that is displayed when a user that is ALREADY an administrator tries to do something in a high integrity context.
  He is an idiot for pointing that out?
  If it was just a standard user, this exploit would not work.
  Also, this is not remotely exploitable... so, yeah, if you are already and administrator and have local access to the machine.... well, you can do whatever you want even without the exploit.
  As a Windows admin, I find UAC to be useful, because it allows me to elevate in place without having to do a runas or switching users.
  
  --
  My eyes reflect the stars and a smile lights up my face.
5. Re:Am I reading this right? by exomondo · 2016-08-17 10:22 · Score: 1
  
  So the attacker already pwns the machine. This is a threat?
  Yes, apparently if you ask an attacker if they are sure they want to run malicious code then 99% of times they will click "no". So not presenting this dialog is a massive security problem...if you're a complete idiot.
Doesn't break what UAC is intended for. by nuckfuts · 2016-08-16 09:53 · Score: 5, Insightful

UAC isn't intended to be some kind of inviolable security mechanism. It's more of a simple alert that some process is trying to make changes to your system - a nice thing to know if you weren't expecting it. The fact that you can bypass the UAC prompt when already on the computer with administrative rights is pretty non-consequential.
1. Re:Doesn't break what UAC is intended for. by exomondo · 2016-08-17 10:31 · Score: 1
  
  It isn't even an extra layer of security if this isn't fixed, since the attack is a complete bypass.
  But if you're doing the attack why go through that process when you could just run your code and click "Allow" on the UAC dialog instead? You need to be admin to do this attack anyway so you already have the privileges to run whatever code you want.
Improving windows! by jdavidb · 2016-08-16 09:53 · Score: 2, Insightful

The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.
Thank goodness! I've been looking for a way around those annoying popups ever since they first arrived in Windows, and I know I'm not the only one.

--
Secession is the right of all sentient beings.
Re:In other news... by Anonymous Coward · 2016-08-16 09:54 · Score: 1

The sky is blue, water is still wet, and windows is still insecure.
The sky is blue, water is still wet, and windows is still INTENTIONALLY insecure.
ftfy.
It has nothing to do with third party software makers as you put it. It is US government spying apparatus. So are Google and Facebook and Twitter and Cloudflare (yeah, those captchas), and Markmonitor and way more. (Slashdot is just HUMINT which is normally out of FBI area of expertise... they are SIGINT. This is why they look so stupid here.)
The US Gov forced Microsoft into spy servitude way back when they threatened to split Microsoft into two companies (and worse, but not published). So you have what you have right now.
Spies everywhere, protecting nothing, producing nothing, just buying sunglasses and hair grease looking slimy in Nordstrom Rack attire.
UAC has a differnt goal by Anonymous Coward · 2016-08-16 09:57 · Score: 3, Informative

UAC has a different goal than you think.
https://channel9.msdn.com/Forums/Coffeehouse/473037-UAC-controversy-the-last-episode/773c9d79f8df4fa8bc489deb00e05c3d
Its goal is to force us to actually fix our crap. UAC is not a bandaid to fix all security issues. There are many known work arounds to it. Including turning it off.
Sweet vindication! by itsownreward · 2016-08-16 09:57 · Score: 1

All you folks still running Windows XP and being told it's a pile of insecure horseshit are vindicated!
1. Re:Sweet vindication! by itsownreward · 2016-08-16 10:22 · Score: 1
  
  Whoosh!
  
  Exactly. Only platforms that have UAC are affected. That's the joke.
2. Re:Sweet vindication! by dbIII · 2016-08-16 17:49 · Score: 1
  
  I've been saying that for ages. Some poor sods still have to run MS WinXP to get legacy software to work and their insecure environment (with Firefox instead of IE of course and Thunderbird instead of MS Outlook) is really not much worse than MS Win10 knee deep in the current malware swamp. The same third party antivirus software runs on both after all and the same real firewall upstream can protect them.
  Treat both like a pile of insecure horseshit and you'll be better off instead of trusting whatever the wild web wants you to click on.
  As seen with another article the obvious has happened with automated "cloud" advertising and even google advertising has become a malware vector due to no involvements of human beings - nobody is there to care about where the ad links go so a script kiddie got a cheap and trusted way to do damage.
Re:In other news... by Chir · 2016-08-16 10:08 · Score: 1

Unless they just want you to think its incompetence. Plausible deniability is all the rage.
Just don't run as admin by jader3rd · 2016-08-16 10:20 · Score: 1

If your current user isn't an Administrator, this doesn't provide the attacker any additional privileges.
1. Re:Just don't run as admin by cbhacking · 2016-08-16 12:34 · Score: 1
  
  It's actually even stupider than that. If you don't have UAC set to automatically elevate system binaries (like eventvwr.exe), this doesn't provide the attacker with anything either. UAC in Win7 introduced the idiotic notion that "trusted" programs would auto-elevate, rather than prompting, by default. There have been UAC bypasses based on this stupidity known for many years, this is just the latest in a long, long list.
  To avert this, on Win7+, set UAC to "Always notify", rather than the default "Notify me when apps try to make changes to my computer (Don't notify me when I make changes to Windows settings)". In the UAC control panel, just move the slider to the top. (On Vista, the latter option doesn't exist; anything launching from a non-elevated context is required to prompt.) That will protect you against stupidities like an auto-elevated process reading a command to execute out of the non-elevated-writable HKCU registry hive (which is how this bypass works). Microsoft's idea in changing that default may have been good (reduce the number of prompts), but their execution was shit because none of their code (including the self-elevating stuff) is actually designed to treat non-elevated-same-user-writable locations as untrusted.
  Note that there is *one* known UAC bypass that works even in "Always Notify" mode, because Microsoft is really bad at this stuff. It's far more complicated than this one, though. It also still doesn't work if you aren't a member of the Administrators group, though removing yourself from that group does introduce a lot of hassle.
  
  --
  There's no place I could be, since I've found Serenity...
Am i reading this right? by hyperar · 2016-08-16 10:47 · Score: 1

Admin privileges?, Physical access?, big meh.
Re:Please... kill UAC. by Anonymous Coward · 2016-08-16 10:47 · Score: 2, Informative

No it is about forcing developers to stop being fucking lazy C@#nts and demanding admin privileges when they are not necessary. apps that annoy users with prompts lose users and hence finally fix their shit that no amount of begging has been able to achieve.
Windows can execute code? by lusid1 · 2016-08-16 10:50 · Score: 1

Seems newsworthy.
Do you let users run as root on Linux? by Barlo_Mung_42 · 2016-08-16 11:48 · Score: 1

No. I hope you do not. I don't run as admin on my Windows machines either. I run as Standard User so even if something bypasses UAC it can't do much because my account simply doesn't have those rights.
1. Re:Do you let users run as root on Linux? by cbhacking · 2016-08-16 12:38 · Score: 1
  
  There's only one known UAC bypass if you switch to "Always Notify" from the brain-dead default setting that auto-elevates many Windows binaries , and there's a work-around for that one (the exploit itself is far more complicated than this one, too). Not arguing that running as not-a-member-of-Administrators isn't a good idea anyhow, because (from a security standpoint) it definitely is, but it's also a *mostly*-needless hassle.
  
  --
  There's no place I could be, since I've found Serenity...
2. Re:Do you let users run as root on Linux? by superwiz · 2016-08-17 15:59 · Score: 1
  
  The issue is not that you don't run things as a root user. The issue is that you can limit what processes you run as root on Linux by only using sudo and only having it set to allow a limited set of commands. In Windows, an admin user is not running in a privileged mode by default (so all processes only have regular user privileges). The admin user can elevate to the privileged mode (and needs to answer in the affirmative to that UAC prompt if the policy is set to require UAC). But with this workaround, as soon as admin user logs in, a malicious process can elevate to admin level without ever presenting a UAC prompt. The sole act of an admin user logging in is enough for a malicious process to elevate and run in privileged mode. This downgrades Win 7 and Win 8 security to the security level of Win XP (in which all processes of the 1st logged in user run in the same session as the background services).
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
3. Re:Do you let users run as root on Linux? by superwiz · 2016-08-17 16:04 · Score: 1
  
  If you develop in Windows, you often need to run as a member of Administrators in order to debug services. It's either that or elevating the MSVS at the start (and I am not even sure that would work in allowing you to attach to services). If you do elevate MSVS though, you'll be creating files as a different user, so then you won't be able to edit them as your non-administrators user. So there is quite a bit of incentive to do all development as a member of administrators and have UAC turned on (both for 3rd parties' and for MS-authored software).
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
Re:OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE. by ls671 · 2016-08-16 11:56 · Score: 1

That is called Do you want to be spied on today.dll
I especially like the spaces in the file name. It really makes you feel on Windows.

--
Everything I write is lies, read between the lines.
Not quite right, but it's stupid anyhow. by cbhacking · 2016-08-16 12:41 · Score: 1, Interesting

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat. Of course, in this case, it's just enabled by a really moronic default that Microsoft added to UAC in Win7 (and has persisted since), which auto-elevates some "trusted" Windows binaries (like eventvwr.exe). If you remove that particular stupidity (in the UAC control panel, move the slider all the way up to "Always Notify"), this attack (and the long, long list of similar things, many known for years, like it) won't work.

--
There's no place I could be, since I've found Serenity...
1. Re:Not quite right, but it's stupid anyhow. by Gadget_Guy · 2016-08-16 13:48 · Score: 1
  
  Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.
  This doesn't do that. You have to already be already running as an Administrator for this so-called exploit to work. If you are not in the Local Administrators group then you will get the prompt requiring a password.
2. Re:Not quite right, but it's stupid anyhow. by exomondo · 2016-08-17 10:26 · Score: 1
  
  Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.
  Of course it is, but if you actually read the article - or even the summary - you will see that that is not what is happening here:
  An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code
  So without this technique the only difference would be that the attacker would have to click 'Allow' in the UAC prompt.
Re:In other news... by ruir · 2016-08-16 20:22 · Score: 4, Interesting

I have yet to understand if cloudfare captchas are there to secure their service or to force us to downgrade our security, activating Javascript. It is a pity, because I had a very nice opinion of Cloudfare and recommend it several times before finding about that.
wow by superwiz · 2016-08-17 15:52 · Score: 1

A security boundary not worth considering? For real? UAC and FS/registry virtualization are the only OS-level security paradigms added to Win 7 over Win XP. Without it, any background process running with administrative privileges can do what a logged-in administrator can do. This includes installing new software and doing essentially anything that a local TrustedInstaller user can do. Worse yet, if this ever happens when an admin user is logged in, the process would not even need to authenticate itself. It would just run it in the session of the logged-in admin user without the admin user ever knowing about it, with the admin user's full confidence that nothing can installed under his credentials (because he has UAC turned on and not allowing any installation to happen without first presenting a "may I, mother?" prompt). If they don't think the session security improvements are worth anything, why don't just start to openly support Win XP again? This is somewhat disturbing.

--
Any guest worker system is indistinguishable from indentured servitude.
Re:Let me get this straight... by superwiz · 2016-08-17 16:06 · Score: 1

Not quite physical access. He just needs an admin to log in. So there is an admin user session running.

--
Any guest worker system is indistinguishable from indentured servitude.
Re:Please... kill UAC. by superwiz · 2016-08-17 16:07 · Score: 1

Developers need admin privileges. You can't debug services without them.

--
Any guest worker system is indistinguishable from indentured servitude.
Re:Who runs Admin without UAC? by superwiz · 2016-08-17 16:10 · Score: 1

Who in their right mind runs Admin and turns off UAC?
Precisely.

You deserve malware if your doing that.
The described bypass (at least from my reading of the Slashdot summary) allows to bypass the UAC prompt even if UAC is turned on.

--
Any guest worker system is indistinguishable from indentured servitude.
You new here, or just completely ignorant? by cbhacking · 2016-08-17 16:17 · Score: 1

OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site (and nearly as long as I have, actually), we understand the difference between "the attacker needs to physically or remotely accessing the machine" and "the attacker needs to have code executing on the machine". It's a very important difference. The fact that the summary implies direct access is required is stupid, but the fact that you (and, apparently, a significant number of other people) took that implication as fact says much more about you all than it does about the exploit.
Try reading the actual exploit writeup rather than dumbed-down ThreatPost article, and you'll see that no such claim is made. There's not a single step of the process that requires the level of access you'd need to approve a UAC prompt. Hell, even in the ThreatPost article, it doesn't say (or even imply) anything about physical access.

“This is a post-exploitation technique, so an attacker would need to already be on the system.”
You can do this exploit if you get non-elevated arbitrary code execution (via remote compromise, or Trojan download, or anything else of that sort) in the account of a member of the Administrators group. You cannot click "Allow" via non-elevated code execution; UAC is very carefully designed to not allow non-elevated code to approve its prompts.
Please don't run your mouth when you don't know what you're talking about. This exploit, and the UAC default in Win7+, are both stupid enough already; you don't have to turn it into a three-way race. Think first, then post!

--
There's no place I could be, since I've found Serenity...
1. Re:You new here, or just completely ignorant? by exomondo · 2016-08-17 19:18 · Score: 1
  
  OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site
  Yes ok your life revolves significantly around this site, I get that but not everybody's does.
  
  The fact that the summary implies direct access is required is stupid, but the fact that you (and, apparently, a significant number of other people) took that implication as fact says much more about you all than it does about the exploit.
  I don't think I said or implied "direct access". I quoted "on the machine" which could be remote, it could be by proxy.
  
  Try reading the actual exploit writeup rather than dumbed-down ThreatPost article, and you'll see that no such claim is made.
  So the claim I didn't make is also not made by Threatpost, well glad we cleared that up.
  
  Hell, even in the ThreatPost article, it doesn't say (or even imply) anything about physical access.
  Neither did I.
  
  You can do this exploit if you get non-elevated arbitrary code execution (via remote compromise, or Trojan download, or anything else of that sort) in the account of a member of the Administrators group. You cannot click "Allow" via non-elevated code execution
  If you have already achieved that you don't really need this exploit.
Re:In other news... by ruir · 2016-08-17 21:31 · Score: 1

At home I block things at DNS level...thanks for the links!