| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Sep 2015 17:16:37 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe
I wrote ... and forgot some mitigations:
[...]
> Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel"
> ~~~~~~~~~~~~~~~~ instead of mine for Windows NT4):
>
> 1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a
> 32-bit executable [*]; the 64-bit executable is available on request);
>
> 2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown
> in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC);
>
> 3. execute %SystemRoot%\RegEdit.exe
>
>
> Mitigation(s):
> ~~~~~~~~~~~~~~
>
> 1. For %! In (%SystemRoot%\*.exe
> %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %!
>
> This but only helps if RegEdit.exe is not called with its fully
> qualified pathname %SystemRoot%\RegEdit.exe
>
> 2. Define ACLUI.DLL as "known DLL":
>
> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs]
> "aclui"="ACLUI.DLL"
3. Prevent elevation of RegEdit.exe per UAC in "protected
administrator" accounts:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Windows\RegEdit.Exe"="RUNASINVOKER"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Windows\RegEdit.Exe"="RUNASINVOKER"
4. Demote your "protected administrator" account created during Windows
setup to a standard user account.
See <http://windows.microsoft.com/en-us/windows/user-accounts-faq>
and <http://windows.microsoft.com/en-us/windows/change-users-account-type>:
| When you set up Windows, you were required to create a user account.
| This account is an administrator account that allows you to set up
| your computer and install any programs that you'd like to use. Once
| you finish setting up your computer, we recommend that you create a
| standard account and use it for your everyday computing. If you create
| new user accounts, you should also make them standard accounts. Using
| standard accounts will help keep your computer more secure.
> [*] see <http://home.arcor.de/skanthak/sentinel.html>
stay tuned
Stefan Kanthak
PS: more than 22 years after introduction of Windows NT Microsoft STILL
continues their VERY BAD and REALLY NASTY habit to give the user
account(s) created during Windows setup administrative rights!
No, UAC is NOT a security boundary, but just a convenience feature:
see <https://support.microsoft.com/en-us/kb/2526083>,
<https://blogs.msdn.com/b/e7/archive/2009/02/05/update-on-uac.aspx>,
<https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx>,
<https://technet.microsoft.com/en-us/magazine/2007.09.securitywatch.aspx>,
<https://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx>, ...
Jane and Joe Average will happily give consent to almost any program
(like RegEdit.exe) which asks for elevated privileges, DESPITE most
warnings!
Powered by blists - more mailing lists