Security News UAC Bypass with Elevated Privileges Works on All Windows Versions

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
enSilo senior security researcher Yotam Gottesman has discovered a simple method of bypassing the Windows User Account Control (UAC) mechanism that affects all supported Windows versions, which in some exploitation scenarios leads to attackers executing commands with elevated privileges.

The technique Gottesman discovered relies on the methods used to interact and control environment variables.

Windows environment variables are a set of temporary settings that are specific to each Windows process and are inherited by their child processes, which can read and write their values.

Windows-level environment variables and their capabilities
Unknown to the vast majority of users is that there are a class of system-wide environment variables that apply to the entire Windows operating system.

These include details like the user's current username, the PC's domain, and file paths for various folders such as the Windows OS, AppData, user profile, and so on.

This set of environment variables are stored in the Windows Registry, hence they are automatically persistent across reboots and can also be modified by any user via "set" or "setx" commands.

UAC bypasses get worse when combined high-privileged applications
But there is more. Because of the way Windows is built, there are special apps that, when launched by regular users, execute processes with higher privileges (Task Manager, Disk Cleanup - known UAC bypass, Event Viewer - known UAC bypass, more).

When a user launches one of these apps, Windows UAC trusts its execution by default and does not show a warning.
Crooks can use modified environment variables to spawn malicious child processes under the legitimate app and execute an attack. Windows UAC will stay quiet while the attack runs with elevated privileges because UAC trusts the parent process.

Proof-of-concept attacks that work
Gottesman described five types of attacks, which can be combined, in a technical write-up for enSilo.

In one example, an attacker can create a copy of the C:/Windows folder and modify the system-wide environment variable to point to the wrong Windows OS folder. This setting activates after a system reboot and allows the attacker to load malicious DLLs on the system.

This doesn't mean the attacker has hijacked the OS, but when other legitimate apps need to load a system DLL, they'll be pointed to the wrong location, where the attacker can easily modify and replace files without security products warning the user.

In another similar attack, he tricked Windows into loading the same C:/Windows folder from a local network folder, meaning the malicious DLLs don't even have to be stored on the same filesystem.


Triggering a malicious child process with elevated privileges via legitimate app and hijacked Windows environment variables
In his examples, Gottesman was able to load mmc.exe, the Windows management console with elevated privileges under svchost.exe, meanwhile loading a malicious DLL from the attacker’s C:/copied/Windows folder. This was done with no UAC warning and with elevated privileges.

A Windows patch will be coming in the future
The enSilo researcher notified Microsoft, but the company classified this as a UAC bypass issue, and not an elevation of privileges flaw. Microsoft doesn't consider UAC bypass a security flaw, meaning it won't get patched with the utmost urgency but will eventually be dealt with in the future. Proof-of-concept code is available on GitHub.

"Environment variable expansion in Windows allows an attacker to gather information about a system prior to an attack and eventually take complete and persistent control of the system at the time of choice by running a single user-level command, or alternatively, changing one registry key," Gottesman explains.

"This vector also lets the attacker’s code in the form of a DLL to load into legitimate processes of other vendors or the OS itself and masquerade its actions as the target process’ actions without having to use code injection techniques or use memory manipulations," the researcher also added. "3rd party services that run on behalf of an administrator may also be vulnerable to this attack and allow regular users to elevate their privileges inside the system."

 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for your thread :)

UCA Can be bypass from a lot of way.

To definitely have an Idea :

GitHub - hfiref0x/UACME: Defeating Windows User Account Control
1 to 23 methods

Microsoft countermeasures

Methods fixed:
  • 1 - Windows 8.1 release and above, still work on Windows 7;
  • 2 - Windows 10 starting from earlier preview builds;
  • 3 - Windows 10 TH2 starting from 1055X builds;
  • 4 - Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
  • 5 - Windows 10 starting from 10147 build;
  • 6 - Windows 10 starting from 10147 build;
  • 7 - Windows 10 starting from 10147 build;
  • 8 - Windows 8.1 release and above, still work on Windows 7;
  • 9 - Windows 10 starting from 10147 build;
  • 10 - Windows 10 TH2 starting from build 10548;
  • 11 - Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
  • 12 - Windows 10 TH2 starting from 10565 build;
  • 13 - Windows 10 RS1 starting from public 14316 build;
  • 14 - Windows 10 TH2 starting from 10548 build;
  • 15 - Windows 10 RS1 starting from public 14316 build;
  • 16 - Windows 10 RS1 starting from public 14316 build;
  • 17 - Windows 10 RS1 starting from public 14371 build;
  • 18 - Windows 10 RS1 starting from public 14371 build;
  • 19 - Windows 10 RS1 starting from public 14376 build.
** 20, 21, 22, 23 are not fixed as at 18 August 2016.

=> 22 is the method I was referring in one of my analysis

Protection
  • UAC turned on maximum level and full awareness about every window it will show;
  • Account without administrative privileges.
 
Last edited:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
This is what you get when you try to access Event Viewer / Disc CleanUp / Task Manager Ect. when VS is in charge.....
VS_SS_08192016.png
 

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
This may be a stupid question. But will these methods still work if you have UAC set to max and you are using a standard account?

I've always used the admin account my whole life using Windows and never bothered creating separate admin and standard accounts for different tasks.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
This may be a stupid question. But will these methods still work if you have UAC set to max and you are using a standard account?

I've always used the admin account my whole life using Windows and never bothered creating separate admin and standard accounts for different tasks.
Yes, as explained in the OP, some services are elevated when run from a Standard acct. or they would not be able to run.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Even with UAC at Max settings, it is easily bypassed, even in Windows 10 ;)
Can you link the article saying that? I am interested.
Because the article in this topic talks about some application being elevated but to do so you get an alert from UAC. You can't launch them without an alert if you are on UAC max. Tbh i never heard of a bypass of max UAC.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
This may be a stupid question. But will these methods still work if you have UAC set to max and you are using a standard account?

I've always used the admin account my whole life using Windows and never bothered creating separate admin and standard accounts for different tasks.

As I said, against UAC bypassing methods :

Protection
  • UAC turned on maximum level and full awareness about every window it will show;
  • Account without administrative privileges.
Only Methods 20, 21, 22, 23 are not fixed as at 18 August 2016 (for last Windows 10 version).

Good protection tools can do their job, but if the malware isn't recognized, and your are not protected as I wrote in "Protection", good luck :p
 
Last edited:

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
For those who want to see an example UAC Bypass :
(Posted March 11, 2016 by hasherezade)

UAC Bypass
Cerber uses tricks to bypass Windows User Account Controll (UAC) and deploy itself with elevated privileges. It is achieved by the following steps:

  1. Search an executable in C:\Windows\system32, that can auto elevate it’s privileges.
  2. Search in it’s import table a DLL that can be hijacked
  3. Copy the DLL into %TEMP% folder and patch it – add a code in a new section and patch entry point in order to redirect execution there. It will be used in order to run the cerber sample with elevated privileges. It uses: WinExec(“[cerber_path] -eval 2524“, SW_SHOWNORMAL)
  4. Inject the code into explorer.exe – it is responsible for executing the UAC bypass. Creates a new folder in C:\Windows\system32 and copy there both files – an EXE and the patched DLL – under original names, then it deploys the EXE causing DLL to load and execute the malicious code.
  5. When the UAC bypass is executed successfully, it is signalized to the original cerber sample by setting a property cerber_uac_status – added to a Shell_TrayWnd. Then, the original sample deletes dropped files and exits. Otherwise, it tries the same trick with different pair of EXE + DLL.
In case if UAC level is set to default (or lower), Cerber can bypass it silently. However, in case if it is set to the highest, the following alert pops up:

uac_notification-1.png


Cerber Ransomware – New, But Mature

From 23 methods used, a lot of where fixed in Windows 10 last upgrade
** 20, 21, 22, 23 are not fixed as at 18 August 2016.
 
Last edited:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Can you link the article saying that? I am interested.
Because the article in this topic talks about some application being elevated but to do so you get an alert from UAC. You can't launch them without an alert if you are on UAC max. Tbh i never heard of a bypass of max UAC.
Watch this video, this is only one example, I won't post anymore, but trust me when I say UAC can be bypassed, simple google searches can show you just how easy it is.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Watch this video, this is only one example, I won't post anymore, but trust me when I say UAC can be bypassed, simple google searches can show you just how easy it is.

Where is the part saying the UAC level used? I really can't see it if it was shown. Just check the article @DardiM posted. It has all methods and the one you just linked me. And it's clearly states that UAC max will get an alert and it will be blocked.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
UAC turned on maximum level and full awareness about every window it will show;
AND Account without administrative privileges.

The 23 methods in my post are only these used by UACMe to reproduce methods used by malware. They could exists more, may be.

Another thing :
There are a lot of methods where, "you don't need injects anywhere. Unless they won't change this in Windows builds sometime in future" ( by EP_X0FF)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top