Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows UAC Bypass Permits Code Execution (threatpost.com)

Posted by BeauHD on from the inside-job dept.

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

7 of 79 comments (clear)

  1. Well duh by fisted · · Score: 2

    Easier to just rely on the luser to click "Allow" when the UAC prompt pops up.

    --
    CLI paste? paste.pr0.tips!
  2. Am I reading this right? by tomhath · · Score: 4, Informative

    An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action

    So the attacker already pwns the machine. This is a threat?

  3. Doesn't break what UAC is intended for. by nuckfuts · · Score: 5, Insightful

    UAC isn't intended to be some kind of inviolable security mechanism. It's more of a simple alert that some process is trying to make changes to your system - a nice thing to know if you weren't expecting it. The fact that you can bypass the UAC prompt when already on the computer with administrative rights is pretty non-consequential.

  4. Improving windows! by jdavidb · · Score: 2, Insightful

    The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

    Thank goodness! I've been looking for a way around those annoying popups ever since they first arrived in Windows, and I know I'm not the only one.

    --
    Secession is the right of all sentient beings.
  5. UAC has a differnt goal by Anonymous Coward · · Score: 3, Informative

    UAC has a different goal than you think.

    https://channel9.msdn.com/Forums/Coffeehouse/473037-UAC-controversy-the-last-episode/773c9d79f8df4fa8bc489deb00e05c3d

    Its goal is to force us to actually fix our crap. UAC is not a bandaid to fix all security issues. There are many known work arounds to it. Including turning it off.

  6. Re:Please... kill UAC. by Anonymous Coward · · Score: 2, Informative

    No it is about forcing developers to stop being fucking lazy C@#nts and demanding admin privileges when they are not necessary. apps that annoy users with prompts lose users and hence finally fix their shit that no amount of begging has been able to achieve.

  7. Re:In other news... by ruir · · Score: 4, Interesting

    I have yet to understand if cloudfare captchas are there to secure their service or to force us to downgrade our security, activating Javascript. It is a pity, because I had a very nice opinion of Cloudfare and recommend it several times before finding about that.