Windows UAC Bypass Permits Code Execution

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Well duh

[fisted]

Easier to just rely on the luser to click "Allow" when the UAC prompt pops up.

Re:

[The-Ixian]

Doesn't elevation in Linux just use sudo?

If so, all you need to do is visudo and add the NOPASSWD flag to the appropriate match rule.

Re:

[A10Mechanic]

Never attribute to malice that which may be explained by incompetence. (it's usually the latter)

Re:

[Chir]

Unless they just want you to think its incompetence. Plausible deniability is all the rage.

Re:

[Anonymous Coward]

The sky is blue, water is still wet, and windows is still insecure.

The sky is blue, water is still wet, and windows is still INTENTIONALLY insecure.

ftfy.

It has nothing to do with third party software makers as you put it. It is US government spying apparatus. So are Google and Facebook and Twitter and Cloudflare (yeah, those captchas), and Markmonitor and way more. (Slashdot is just HUMINT which is normally out of FBI area of expertise... they are SIGINT. This is why they look so stupid here.)

The US Gov forced Microsoft into spy servitude way back when they threatene

Re:In other news...

[ruir]

I have yet to understand if cloudfare captchas are there to secure their service or to force us to downgrade our security, activating Javascript. It is a pity, because I had a very nice opinion of Cloudfare and recommend it several times before finding about that.

Re:

[ruir]

At home I block things at DNS level...thanks for the links!

Re:

[ls671]

That is called Do you want to be spied on today.dll

I especially like the spaces in the file name. It really makes you feel on Windows.

Am I reading this right?

[tomhath]

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action

So the attacker already pwns the machine. This is a threat?

Re:

[Anonymous Coward]

STFU. We're trying to blow shit out of proportion here!

Re:

[The-Ixian]

All this exploit does is remove the "are you sure?" prompt that is displayed when a user that is ALREADY an administrator tries to do something in a high integrity context.

He is an idiot for pointing that out?

If it was just a standard user, this exploit would not work.

Also, this is not remotely exploitable... so, yeah, if you are already and administrator and have local access to the machine.... well, you can do whatever you want even without the exploit.

As a Windows admin, I find UAC to be useful, because

Not quite right, but it's stupid anyhow.

[cbhacking]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat. Of course, in this case, it's just enabled by a really moronic default that Microsoft added to UAC in Win7 (and has persisted since), which auto-elevates some "trusted" Windows binaries (like eventvwr.exe). If you remove that particular stupidity (in the UAC control panel, move the slider all the way up to "Always Notify"), this attack (and the long, long list of similar things, many known for years, like it)

Re:

[Gadget_Guy]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.

This doesn't do that. You have to already be already running as an Administrator for this so-called exploit to work. If you are not in the Local Administrators group then you will get the prompt requiring a password.

Re:

[exomondo]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.

Of course it is, but if you actually read the article - or even the summary - you will see that that is not what is happening here:

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code

So without this technique the only difference would be that the attacker would have to click 'Allow' in the UAC prompt.

You new here, or just completely ignorant?

[cbhacking]

OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site (and nearly as long as I have, actually), we understand the difference between "the attacker needs to physically or remotely accessing the machine" and "the attacker needs to have code executing on the machine". It's a very important difference

Re:

[exomondo]

OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site

Yes ok your life revolves significantly around this site, I get that but not everybody's does.

The fact that the summary implies direct access is required is stupid, but the fact that you (and, apparently, a significant number of other people) took that implication as fact says much more about you all than it does about the exploit.

I don't think I said or implied "direct access". I quoted "on the machine" which could be remote, it could be by proxy.

Try reading the actual exploit writeup [enigma0x3.net] rather than dumbed-down ThreatPost article, and you'll see that no such claim is made.

So the claim I didn't make is also not made by Threatpost, well glad we cleared that up.

Hell, even in the ThreatPost article, it doesn't say (or even imply) anything about physical access.

Neither did I.

You can do this exploit if you get non-elevated arbitrary code execution (via remote compromise, or Trojan download, or anything else of that sort) in the account of a member of the Administrators group. You cannot click "Allow" via non-elevated code execution

If you have already achieved that you don't really need this exploit.

Re:

[exomondo]

So the attacker already pwns the machine. This is a threat?

Yes, apparently if you ask an attacker if they are sure they want to run malicious code then 99% of times they will click "no". So not presenting this dialog is a massive security problem...if you're a complete idiot.

Doesn't break what UAC is intended for.

[nuckfuts]

UAC isn't intended to be some kind of inviolable security mechanism. It's more of a simple alert that some process is trying to make changes to your system - a nice thing to know if you weren't expecting it. The fact that you can bypass the UAC prompt when already on the computer with administrative rights is pretty non-consequential.

Re:

[exomondo]

It isn't even an extra layer of security if this isn't fixed, since the attack is a complete bypass.

But if you're doing the attack why go through that process when you could just run your code and click "Allow" on the UAC dialog instead? You need to be admin to do this attack anyway so you already have the privileges to run whatever code you want.

Improving windows!

[jdavidb]

The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Thank goodness! I've been looking for a way around those annoying popups ever since they first arrived in Windows, and I know I'm not the only one.

UAC has a differnt goal

[Anonymous Coward]

UAC has a different goal than you think.

https://channel9.msdn.com/Forums/Coffeehouse/473037-UAC-controversy-the-last-episode/773c9d79f8df4fa8bc489deb00e05c3d

Its goal is to force us to actually fix our crap. UAC is not a bandaid to fix all security issues. There are many known work arounds to it. Including turning it off.

Sweet vindication!

[itsownreward]

All you folks still running Windows XP and being told it's a pile of insecure horseshit are vindicated!

Re:

[itsownreward]

Whoosh!

Exactly. Only platforms that have UAC are affected. That's the joke.

Re:

[dbIII]

I've been saying that for ages. Some poor sods still have to run MS WinXP to get legacy software to work and their insecure environment (with Firefox instead of IE of course and Thunderbird instead of MS Outlook) is really not much worse than MS Win10 knee deep in the current malware swamp. The same third party antivirus software runs on both after all and the same real firewall upstream can protect them.
Treat both like a pile of insecure horseshit and you'll be better off instead of trusting whatever the

Re:

[superwiz]

Who in their right mind runs Admin and turns off UAC?

Precisely.

You deserve malware if your doing that.

The described bypass (at least from my reading of the Slashdot summary) allows to bypass the UAC prompt even if UAC is turned on.

Just don't run as admin

[jader3rd]

If your current user isn't an Administrator, this doesn't provide the attacker any additional privileges.

Re:

[cbhacking]

It's actually even stupider than that. If you don't have UAC set to automatically elevate system binaries (like eventvwr.exe), this doesn't provide the attacker with anything either. UAC in Win7 introduced the idiotic notion that "trusted" programs would auto-elevate, rather than prompting, by default. There have been UAC bypasses based on this stupidity known for many years, this is just the latest in a long, long list.

To avert this, on Win7+, set UAC to "Always notify", rather than the default "Notify me

Re:

[Anonymous Coward]

No it is about forcing developers to stop being fucking lazy C@#nts and demanding admin privileges when they are not necessary. apps that annoy users with prompts lose users and hence finally fix their shit that no amount of begging has been able to achieve.

Re:

[superwiz]

Developers need admin privileges. You can't debug services without them.

Re:

[superwiz]

Not quite physical access. He just needs an admin to log in. So there is an admin user session running.

Am i reading this right?

[hyperar]

Admin privileges?, Physical access?, big meh.

Re:

[cbhacking]

No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.

Re:

[hyperar]

No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.

An attacker would already need to be on the machine to use this technique

That pretty much is physical access. Not to mention that we're talking about a improperly configured environment. Nevertheless, it is a vulnerability that must be addressed and Microsoft's response is unacceptable. P.S.: I'm pretty sure that UAC doesn't allow you to make changes without being notified by default.

Windows can execute code?

[lusid1]

Seems newsworthy.

Do you let users run as root on Linux?

[Barlo_Mung_42]

No. I hope you do not. I don't run as admin on my Windows machines either. I run as Standard User so even if something bypasses UAC it can't do much because my account simply doesn't have those rights.

Re:

[cbhacking]

There's only one known UAC bypass if you switch to "Always Notify" from the brain-dead default setting that auto-elevates many Windows binaries , and there's a work-around for that one (the exploit itself is far more complicated than this one, too). Not arguing that running as not-a-member-of-Administrators isn't a good idea anyhow, because (from a security standpoint) it definitely is, but it's also a *mostly*-needless hassle.

Re:

[superwiz]

If you develop in Windows, you often need to run as a member of Administrators in order to debug services. It's either that or elevating the MSVS at the start (and I am not even sure that would work in allowing you to attach to services). If you do elevate MSVS though, you'll be creating files as a different user, so then you won't be able to edit them as your non-administrators user. So there is quite a bit of incentive to do all development as a member of administrators and have UAC turned on (both for

Re:

[superwiz]

The issue is not that you don't run things as a root user. The issue is that you can limit what processes you run as root on Linux by only using sudo and only having it set to allow a limited set of commands. In Windows, an admin user is not running in a privileged mode by default (so all processes only have regular user privileges). The admin user can elevate to the privileged mode (and needs to answer in the affirmative to that UAC prompt if the policy is set to require UAC). But with this workaround,

wow

[superwiz]

A security boundary not worth considering? For real? UAC and FS/registry virtualization are the only OS-level security paradigms added to Win 7 over Win XP. Without it, any background process running with administrative privileges can do what a logged-in administrator can do. This includes installing new software and doing essentially anything that a local TrustedInstaller user can do. Worse yet, if this ever happens when an admin user is logged in, the process would not even need to authenticate itsel