Bugtraq mailing list archives
Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 10 Sep 2015 17:16:37 +0200
I wrote ... and forgot some mitigations: [...]
Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel" ~~~~~~~~~~~~~~~~ instead of mine for Windows NT4): 1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a 32-bit executable [*]; the 64-bit executable is available on request); 2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC); 3. execute %SystemRoot%\RegEdit.exe Mitigation(s): ~~~~~~~~~~~~~~ 1. For %! In (%SystemRoot%\*.exe %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %! This but only helps if RegEdit.exe is not called with its fully qualified pathname %SystemRoot%\RegEdit.exe 2. Define ACLUI.DLL as "known DLL": [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs] "aclui"="ACLUI.DLL"
3. Prevent elevation of RegEdit.exe per UAC in "protected administrator" accounts: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers] "C:\Windows\RegEdit.Exe"="RUNASINVOKER" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers] "C:\Windows\RegEdit.Exe"="RUNASINVOKER" 4. Demote your "protected administrator" account created during Windows setup to a standard user account. See <http://windows.microsoft.com/en-us/windows/user-accounts-faq> and <http://windows.microsoft.com/en-us/windows/change-users-account-type>: | When you set up Windows, you were required to create a user account. | This account is an administrator account that allows you to set up | your computer and install any programs that you'd like to use. Once | you finish setting up your computer, we recommend that you create a | standard account and use it for your everyday computing. If you create | new user accounts, you should also make them standard accounts. Using | standard accounts will help keep your computer more secure.
[*] see <http://home.arcor.de/skanthak/sentinel.html>
stay tuned Stefan Kanthak PS: more than 22 years after introduction of Windows NT Microsoft STILL continues their VERY BAD and REALLY NASTY habit to give the user account(s) created during Windows setup administrative rights! No, UAC is NOT a security boundary, but just a convenience feature: see <https://support.microsoft.com/en-us/kb/2526083>, <https://blogs.msdn.com/b/e7/archive/2009/02/05/update-on-uac.aspx>, <https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx>, <https://technet.microsoft.com/en-us/magazine/2007.09.securitywatch.aspx>, <https://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx>, ... Jane and Joe Average will happily give consent to almost any program (like RegEdit.exe) which asks for elevated privileges, DESPITE most warnings!
Current thread:
- Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe Stefan Kanthak (Sep 09)
- Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe Stefan Kanthak (Sep 10)