Oppia.fi KUMPPANI, Tietosuoja

Privilege escalation with bypassing UAC

Operating Systems are very complex piece of code but once you see their logic, everything is clear.

As one of the widely spread operating system, Microsoft Windows OS is on top on the list of hackers potential targets. Same as the water looks a way to get out trough very tiny hole, hackers are looking for a way to bypass any security measures they face.

In some cases, hackers can gain unauthorized access to Windows OS but with limited privileges. This is because of protection called User Access Control or UAC. With intent to protect as security measure, UAC is preventing execution of actions that need administrative privilege with compulsory direct user interaction which can give permission or deny execution of administrative privilege actions. In evolution of Windows OS, this feature was firstly introduced in Windows Vista OS.

kuva1

The case is that the hackers will always find a way to bypass security measure if there is enough time given to them. In UAC bypass technique that elevate standard user rights to administrator user rights we have two stages:

  • Writing to a secure location
  • Exploiting DLL hijacking vulnerability

In first stage we need to find and exploit a method of COM Object or find Windows Update Standalone Installer (wusa.exe) to use its manifest with auto-elevate. Each version of Windows OS (Win7, Win8, Win8.1 and Win10) has different processes that can be used for auto-elevate. For example, in Win7 we have the following processes that might be exploited with injecting malicious DLL:

  • C:\Windows\explorer.exe
  • C:\Windows\System32\wuauclt.exe
  • C:\Windows\System32\taskhost.exe

The same as in first stage, we need genius Windows OS processes with corresponding DLL’s located in a secure directory with autoElevate property in its manifest.  Each version of Windows OS (Win7, Win8, Win8.1 and Win10) has different processes that can be used for auto-elevate. For example, in Win7 we have the following process with DLL that might be exploited:

  • C:\windows\System32\cliconfg.exe
  • C:\Windows\System32\NTWDBLIB.DLL

Very easy one can find hacking tools that have automated this bypass UAC technique for multiple versions of Windows OS. Very often ethical hackers are using them as they are key component in System Hacking methodology. In Module 5 (System Hacking) from EC-Council’s Certified Ethical Hacker course, ethical hackers learn about various types of technique and tools for bypassing UAC as part of Privilege Escalation process.

If you’d like to discuss with the writer sign in to these!
 
Free webinar:
Certified Network Defender CND – Sneak peek to the course content 07.02.2017
For the first time in Finland:
EC-Council Certified Network Defender Program – CND -course

mane_200x200

Mane Piperevksi

Mane is an Information Technology Expert with extensive experience in Information Security. Over 10 years in IT industry and 5 years’ experience in field of Information Security. With a breadth of technology skills, including networks, operating systems, databases and application development, Mane has provided IT services in various industry sectors such as banking, electronic payment services, transportation, software development companies, utilities, pension and disability insurance, state courts and government institutions. As experienced trainer and instructor Mane has conducted official EC-Council and Microsoft training classes for over 300 students all over Europe. As Security Expert he understands and knows how to look for the weaknesses and vulnerabilities in systems, how they work, how to investigate them and exploit for Proof of Concept.