Security News Windows 10 Disk Cleanup Utility Abused to Bypass UAC

BoraMurdar

Super Moderator
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Security researchers Matt Nelson and Matt Graeber have discovered a unique method of bypassing the Windows User Access Control (UAC) security system on Windows 10 and allow malicious files to execute without alerting users that something strange had happened.

Their method doesn't involve a complicated mechanism that implies a privileged file copy or any code injection, but only taking advantage of an already existing Windows scheduled task that's set up to run with the highest privileges available.

That scheduled task is associated with the Disk Cleanup utility, a built-in Windows app for helping users clean and manage their hard drives. The scheduled task is described as: "Maintenance task used by the system to launch a silent auto disk cleanup when running low on free disk space."

UAC bypass uses basic DLL hijacking technique
The two researchers discovered that when Windows 10 would run this task, it would execute the Disk Cleanup app, which would copy a set of files in a folder at "C:Users<username>AppDataLocalTemp".

The files copied here were an executable called DismHost.exe and a very large number of DLL files. Disk Cleanup would then execute the EXE file, which it would load one DLL after the other.

The two researchers discovered that DismHost.exe would load the LogProvider.dll as the last DLL file in this queue, giving them time to launch an attack.

Nelson and Graeber created a malicious script (aka malware) that would watch the local file system for the creation of new folders inside the Temp directory, and when detecting one of the files above, it would quickly move to replace LogProvider.dll with their own version of the DLL, containing malicious operations.

UAC would ignore the scheduled task
This attack technique is called DLL hijacking and is a common method of executing malware attacks.

Because this scheduled task ran from a regular user account, but with the "highest privileges available," UAC remained silent.

An attacker clever enough to use this technique would have had a way to infect a regular user account and then execute code with admin privileges with a very trivial DLL hijacking technique.

A fix ain't coming
The good news is that the researchers have told Microsoft about the issue. The bad news is that a fix ain't coming in the immediate future.

"This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016," Nelson writes. "As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability."

In the meantime, users are encouraged either to disable the task or to uncheck the "Run with the highest privileges" option as seen below.

To get to this window, press the Start button, and search for "Scheduled Tasks." Open the application and on the left side of the window open the following folders: Microsoft -> Windows -> DiskCleanup. Here use the menu on the right side to disable the task, or just untick the problematic box.

windows-10-disk-cleanup-utility-abused-to-bypass-uac-506614-5.png
 

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
Thanks for the share...:)
I have the "Disk Space Clean Up Manager" and the "Disk Defragmenter Module" Services killed through My Firewall..
(I rely on CCleaner & Auslogics Defrag Instead)
I did this to reduce MS Telemetry,but it looks like it may have another use too:D
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for this info :)

I like this :
Microsoft Security Response
"As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability." :rolleyes:
 
Last edited:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I don't use DiskCleanup, but many or even majority of Windows users are probably using it for maintenance. I think MS is going to patch this soon, though. :)

HMP.A 3.5 might be able to prevent this attack.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top