UAC vulnerability in Windows 7 and Windows 10 allows for traceless code execution
Windows' User Account Control (UAC) feature was designed to help keep computers safe from malicious software installations, but there are already at least a couple of ways to bypass it. A new technique for circumventing UAC not only makes it possible to execute commands on a computer, but to do so without leaving a single trace.
Security researchers Matt Nelson and Matt Graeber discovered the vulnerability and developed a proof-of-concept exploit. The pair tested the exploit on Windows 7 and Windows 10, but say that the technique can be used to bypass security on any version of Windows that uses UAC.
While the vulnerability does require an attacker to already have access to a computer in order to exploit it, it is a concern nonetheless. Speaking to Threatpost, Nelson said: "This attack simply allows an admin user to execute code in a high-integrity context without requiring the user to ‘approve’ the administrative action via the pop-up. It essentially removes the restrictions an attacker has when running under the context of a local administrator".
The attack -- which is detailed on Nelson's website -- makes use of the Event Viewer (eventvwr.exe) to hijack a registry process to launch Powershell. This can then be used to execute arbitrary code. The researcher says that he has informed Microsoft about the vulnerability but was told that UAC bypasses are not considered important enough to warrant a Patch Tuesday fix. In a statement Microsoft said:
Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. If we determine there is an issue, we will take the necessary steps to help protect customers.
Nelson says that it is possible to protect against the threat:
This particular technique can be remediated or fixed by setting the UAC level to "Always Notify" or by removing the current user from the Local Administrators group. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCU\Software\Classes\.
However, he also warns that the exploit is different to others that are publicly known for a number of reasons:
- This technique does not require dropping a traditional file to the file system. Most (if not all) public UAC bypasses currently require dropping a file (typically a DLL) to the file system. Doing so increases the risk of the attacker getting caught. Since this technique doesn’t drop a traditional file, that extra risk to the attacker is mitigated.
- This technique does not require any process injection, meaning the attack won’t get flagged by security solutions that monitor for this type of behavior.
- There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since it is possible to replace what executable “eventvwr.exe” starts to load the required Snap-in, it is possible to simply use an existing, trusted Microsoft binary to execute code in memory instead.