7 comments on “Bypassing Windows User Account Control (UAC) and ways of mitigation

  1. The Windows Script Host executables are vulnerable due to a missing manifest (on Windows 7). So they can be copied and executed with a autoelevate property in an external manifest.

    See https://github.com/Vozzie/uacscript/

    credits for the wusa and makecab techniques go to this article.

  2. Hello, Noob (not really) here. I can’t even access Wusa.exe which I presume is because of the UAC setting is the highest. ON windows 7 and IFile Operation COM is hard for me. if you could help me that would be amazing

  3. Well if you can’t access wusa.exe or IFile operation then most likely you haven’t got rights on the box to begin with, without local admin rights you won’t be able to elevate unfortunately.

  4. I have observed that sysprep.exe DLL search order high jacking is not fixed in Windows 7 to this date – Feb 2017!

    I looked at this file on 3 entirely different computers, two of them were not mine and the third is my VM. All of them have latest updates installed.

    sysprep.exe has not specified the full path in its manifest! This is fixed in Windows 10 (Windows 8 – i don’t know, can’t confirm or deny)

    So the question becomes apparent: Either the exploit was discovered after mainstream maintenance ended, which I don’t believe, since it is the most commonly known exploit in the entire world! I couldn’t find the CEV identifier yet and the date it was discovered. (anyone knows?)

    Or alternatively: Microsoft tries to promote Windows 7 as being “not secure anymore” by intentionally not fixing this exploit, knowing that every script kiddie who wants to write ransom ware will find this exploit on the first page of every search engine by typing “UAC bypass”.

    Or did I miss something else? I think I will implement a variant that pops up an elevated cmd or PowerShell and just post it on my website some time soon, just for fun.

    You son of a DLL!

    Discuss! 😉

  5. Of course, there are mitigation techniques for the user to utilize.

    1. The vast majority of users leave the default configuration untouched
    2. “Always notify” as in Vista will inevitably lead to users deactivating the UAC completely
    3. Stack/heap corruption exploits are nearly impossible to implement and as of DEP/ASLR almost completely impossible. Tricking a user to just download a file, execute it and elevate it is much more reasonable to adversaries

    Reading following article gives me an even more precise picture of the whole UAC history and what it really is. In months, I didn’t read anything more profound than this: https://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    Further, speaking about the bug bounty program:
    Heap/stack corruption, RCE and the like are explicitly in scope, but very hard to find. And I have the impression that Microsoft will not reward UAC mitigation, because:

    1. “A binary has to be executed by the user” – Yes, but privilege escalation is required for specific tasks, especially ransomware – So I consider this an issue, indeed!
    2. It seems like an easy thing to do. I’ve seen forum posts where people just blatantly posted their own UAC bypass they found. People who are nearly as capable to find one know about the bounty program. So anyone who just pops it into the internet for free, seems to guess that Microsoft doesn’t care.
    3. If Microsoft did award bounties for UAC privilege escalation, they would suddenly have thousands of “freelancers” finding one exploit after the other. Would be expensive and look ridiculous.
    4. Black hats most commonly implement exploits into ransomware lately. I ask myself why? They could simply submit to the bounty program and get money from Microsoft. And if they really must – if it’s their burning desire – what stops them from deploying ransomware that requires the user to confirm the UAC dialog? I think the reason is that the difference of victims (exploit vs. no exploit) yields more profit to adversaries than submitting to the bounty program. – Which seems to be $0.00 by my understanding.

    But apparently Microsoft seems to be busy securing Minesweeper, so their own employees don’t cheat while playing Windows built-in games after the lunch break. And of course, occasionally talking about very naughty things in the office. Like, what if we could whitelist instead of auto-elevate?

    So you better MOV EIP, [helloWorld] in order to get a bounty 😉

  6. I totally agree with you, I the bottom line is Microsoft are just not bothered fixing UAC bypasses and that’s why researchers just openly publish it.

  7. It’s the sad story behind the curtains you only see after going through months of research. But Microsoft states that there is a bounty for UAC mitigation bypass. However, scopes of bounty programs are always unclear and vague. And especially strictly limited to very hard to find exploits, like DEP. & ASLR Come on…

    By the way, here is my implementation that I promised:

    -> It’s fully portable and dependencyless. Once executed, cmd pops up. With command line supplied, the first arg is the file and all following will be passed through.

    And I especially wrote the text there, trying not to bore people reading my article, since this particular exploit has already been documented and implemented a million times. And now we know why. It’s just that I felt like implementing it myself, too, just for fun 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *