Bypassing User Activation Controls

My last blog about User Activation Controls suggested that they were of little help, even when they work.  After all, user data (your documents, spreadsheets and such) are the most valuable things you have.  Now, we’ll just trash UAC by bypassing it.  We’ll do this by relying on a flaw:  Microsoft loves itself.

I Heart Microsoft image

Remember, UAC is the annoying prompt you get when attempting to install or modify a program.  It also appears when attackers are attempting to escalate privileges, so they can pillage and plunder by installing system-level code, like rootkits or password sniffers.

To gain initial access to a PC, we’ll attack the Java vulnerability, CVE-2012-0507, written about in previous posts.  Having older and vulnerable versions of Java is fairly commonplace and is plausible.

OK. Here’s the setup.  There is a victim PC and a malicious server.  The victim is running Windows 7 and a vulnerable version of Java.  The server is Metasploit, setup to offer a rogue applet to any connecting browser.

  1. The client connects to Metasploit with a browser. The user on the PC is logged in as the user Fred on a PC named fred-PC.
  2. Metasploit sends an applet to the client, containing code that will tell the client to connect back and yield control.
Initial attack - a client connects with a browser to a Metasploit rogue Web server
Windows 7 PC and browser connect to a Metasploit rogue Web server.

In Metasploit, it works like this.

  1. The browser connected to Metasploit and requested a page from this malicious Web server.  Metasploit indicates it has a client-victim nibbling on the hook.
  2. Metasploit sends a page containing the rogue applet and compromises the Windows 7 PC.  The session message indicates a channel of communication has been opened.
Metasploit attacking a victim and failing to gain SYSTEM-level access
Metasploit successfully attacking a victim, but failing to gain SYSTEM-level access.

The operator of Metasploit connects to a session and finds out a user named Fred is logged on at the victim PC.  But notice: the getsystem command failed.  Getsystem is a Metasploit script that will attempt to move your privileges to the SYSTEM account, the all-powerful deity of Microsoft machines.  Becoming that account will be our real goal.  But, that pesky UAC prevented it.  Let’s exploit a flaw in Windows to bypass UAC and gain SYSTEM-level access.

The flaw allows an application to run another application that does not require UAC.

For exploits to work, they need a vulnerability.  All vulnerabilities require a flaw.  To bypass UAC, we’ll attack the flaw that Microsoft trusts Microsoft. An article in OSnews outlined this rather nicely back in 2009. In a nutshell, the flaw allows an application to run another application that does not require UAC. Microsoft created some functions to bypass UAC – they are called auto-elevation.  They did it so that UAC would not be constantly be nagging you to death. Microsoft tried to constrain this by creating a whitelist of applications that could to this. Lo and behold, all of them were built into Windows.

Here’s the tricky part.  Windows applications can interact a fair amount.  In fact, one process can inject itself into another. OK, analogy time.  In scary ghost movies, a good guy is battling some evil demon-posessed bad guy.  And right at the end,  just when the good guy it about to vanquish the demon-guy, the evil spirit leaps out and takes over someone else to avoid destruction. The demon lives on in someone else’s body. This lets the producer make a sequel.  In Windows, this is called process injection.

Fact 1: Many Windows application can auto-elevate.

Fact 2: Metasploit can selectively choose to move its own rogue payloads into almost any other application, like Notepad.  Notepad is a signed Windows application.

Notepad possessed by an evil payload
Notepad possessed by an evil payload. Notepad can auto-elevate.

Let’s watch this play out.  Back in Metasploit, we had taken over a PC and a user named Fred.  Now, we’re going to load a routine, called bypassuac, and instruct it as follows:

  1. Connect to the victim on Session 1.
  2. Write a new application and send it to the Windows 7 PC.
  3. The new application will run and connect back to Metasploit to offer it control.
  4. Metasploit will cause Notepad to run on the the victim.
  5. The new application will migrate into Notepad. Notepad is able to auto-elevate.
  6. The getsystem command runs successfully through Notepad and auto-elevates.
Metasploit bypassing UAC
Metasploit bypassing UAC

Fred’s PC is now owned by the attacker, who has unlimited privileges. No UAC prompts showed up and the user would be blissfully unaware of the attack. Just so you can see there was no slight of hand. Here are the UAC settings of the Windows 7 victim.

UAC settings of victim-settings
These are the default UAC settings.

Defenses

Microsoft considers this auto-elevation a non-issue, or perhaps even a feature.  They were tired of all the complaints from users about UAC.  So, do not look to them for a fix any time soon.

  • Patching Java would be good. Uninstall it, if not needed. But, many other vulnerabilities could have ended up this way.
  • Antivirus is pretty helpless. Keep it updated and pray for peace.
  • Raise the settings of the UAC to the maximum level.  At least, you’ll get a prompt.  Just get used to clicking OK every time you make any minor changes.
  • Backups.

If this stuff intrigues you, there is a Learning Tree course on penetration testing that helps you learn to work with Metasploit and do things like escalating privileges.

Randy W. Williams

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.