lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 14 May 2007 05:56:12 -0000
From: robpaveza@...il.com
To: bugtraq@...urityfocus.com
Subject: Windows Vista: Non-privileged code can redirect shortcuts to
 intercept privilege elevation requests

Tested on x86 and x64 editions of Windows Vista Ultimate, though this exploit should function correctly on all x86 and x64 editions of Windows Vista.

This exploit requires an attack vector such as a Trojan horse.  However, in light of the enormous success of such types of attacks in the past, and the fact that User Account Control (UAC) would be expected to protect the user from doing something particularly dangerous to the machine, this should be considered exploitable.

Non-privileged code can be used to replace shortcuts on the Start Menu and intercept elevation of privileges.  Because of the way the Start Menu is constructed, users can enumerate all of the shortcuts that appear on their menus because they have read access to the folders where the shortcuts reside.  The Start Menu is composited of a common folder and the specific user's folder, preferring the user folder if duplicates exist.

Using COM and the .NET Framework, a stub EXE generator can be created that will check for the presence of privilege elevation before launching the original target process (in order to not alert the user to the fact that the target is infected).  The .NET CLR is installed by default on Windows Vista and so can be used as part of the attack vector.

The proof-of-concept enumerates the shortcuts on the user's menu and the common menu and creates or modified user-local shortcuts to exploitable executables via proxy EXEs.  It generates the proxy executables and then writes a text file to the Windows\System32 folder once a proxy executable has been run with elevation.  The proof-of-concept code is available at http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio 2005 to compile.

A whitepaper detailing the architecture of UAC and this exploit is also available at http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf.  The whitepaper details the implementation of the Proof of Concept as well, and goes into significantly more detail than this (I'm sorry that this is short, but I've been working on writing this up for quite a while and just want it to be over).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ