- Oct 23, 2012
- 12,527
The Event Viewer built-in Windows application can be abused in a way to allow crooks to bypass the Windows User Access Control (UAC) security feature on Windows 7 and Windows 10.
Responsible for discovering this trick are security researchers Matt Nelson and Matt Graeber, who at the end of July have detailed another Windows UAC bypass that used the Windows 10 Disk Cleanup utility.
The difference between their latest bypass and the one from the end of July is in the technique.
Latest UAC bypass does not rely on files stored on disk
The first one, using Disk Cleanup, involved the researchers using a high-privileged process to copy a DLL into an unsafe location, which they used in a DLL hijacking attack that didn't get flagged by UAC.
For the bypass they presented today, the two researchers put together a method that didn't require dropping any malicious DLL on the file system and didn't utilzie any process injection (DLL hijacking).
This fileless UAC bypass required the researchers to create a structure of intertwined Windows registry keys, which would end up being queried by the Event Viewer process (eventvwr.exe), triggering a masked operation from a high integrity process like Event Viewer, which UAC would allow through, considering it a harmless operation.
There's a way to prevent these types of UAC bypass attacks
According to the two researchers, this is a unique, never-before-seen UAC bypass. All previous UAC bypass techniques relied on process hijacking, privileged file copy, or dropping files on the user's PC.
"This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group," Nelson writes.
"Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCUSoftwareClasses," which is one of the key places in the aforementioned intertwined registry structure.
Microsoft doesn't consider UAC a true security feature, but malware developers prefer not to take any chances and often include UAC bypasses in their code to avoid getting their malware stuck in a UAC prompt.
Responsible for discovering this trick are security researchers Matt Nelson and Matt Graeber, who at the end of July have detailed another Windows UAC bypass that used the Windows 10 Disk Cleanup utility.
The difference between their latest bypass and the one from the end of July is in the technique.
Latest UAC bypass does not rely on files stored on disk
The first one, using Disk Cleanup, involved the researchers using a high-privileged process to copy a DLL into an unsafe location, which they used in a DLL hijacking attack that didn't get flagged by UAC.
For the bypass they presented today, the two researchers put together a method that didn't require dropping any malicious DLL on the file system and didn't utilzie any process injection (DLL hijacking).
This fileless UAC bypass required the researchers to create a structure of intertwined Windows registry keys, which would end up being queried by the Event Viewer process (eventvwr.exe), triggering a masked operation from a high integrity process like Event Viewer, which UAC would allow through, considering it a harmless operation.
There's a way to prevent these types of UAC bypass attacks
According to the two researchers, this is a unique, never-before-seen UAC bypass. All previous UAC bypass techniques relied on process hijacking, privileged file copy, or dropping files on the user's PC.
"This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group," Nelson writes.
"Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCUSoftwareClasses," which is one of the key places in the aforementioned intertwined registry structure.
Microsoft doesn't consider UAC a true security feature, but malware developers prefer not to take any chances and often include UAC bypasses in their code to avoid getting their malware stuck in a UAC prompt.
