Recently our researchers revealed a new way that attackers can bypass Microsoft’s User Access Control (UAC) mechanisms.The UAC is placed as a mitigation feature against malware that runs with Administrator privilege. Our research reveals that such a bypass is not only possible, but is also relatively easy for an attacker to carry out.
What is our research finding?
Our research shows that using a simple and seemingly harmless command an attacker can extract information, plant malicious code inside legitimate processes and bypass the UAC mechanism to gain a high integrity level and eventually take control over the entire system without the victim noticing it.
This research was tested against updated versions of Windows 7 and Windows 10, both 32-bit and 64-bit.
What is Microsoft User Account Control (UAC)?
User Account Control (UAC) is a mechanism first introduced by Microsoft in Windows Vista. The purpose of UAC is to limit sensitive features of the operating system from being used without the active consent of a user. It’s important to note that the user has to be one with sufficient privileges on the system, typically a member of the Administrators group.
If a program requires access to these sensitive functions, it must be running with what’s called, a “high integrity level”. Switching to a high integrity level is called “Elevation” and a request to elevate shows a message to the user.
To summarize, gaining access to sensitive parts of the operating system requires both permissions and consent.
The message displayed to the user also distinguishes between signed and unsigned code:
Figure 1: UAC message of a signed program attempting to run on the user’s machine
Figure 2: UAC message of an unsigned program attempting to run on the user’s machine
Why do attackers attempt to bypass UAC?
An attacker that runs as a user essentially has the same permissions that the user has. Theoretically, a malware running from an Administrator account has full control of the operating system.
UAC mitigates against such a scenario because Administrator permissions alone are no longer sufficient to take full control of the system. UAC requires that the user also provides consent to run the program.
Attackers that wish to compromise a system, gain persistence and exfiltrate information usually need access to some features that require elevated privileges. A message shown to the user not only alerts the user to the presence of such a threat, but effectively allows the user to stop the malware by declining the elevation request.
What are the UAC bypass methods that exist today?
There are several methods of bypassing UAC today, some of them are published in a project called UACme by hFireF0x at GitHub.
Typically the bypasses involve causing a process that is allowed to automatically elevate to load a library (i.e. a dll) placed by the attacker.
What can be done to mitigate against UAC-bypass?
The methods known to bypass UAC use processes that are automatically allowed to elevate privileges. A security-savvy user can configure UAC to ask permission for any process, thus causing current UAC bypass methods to be visible to the user.
Changing this setting, however, will not always prevent this specific attack vector from gaining permissions. The reason is that malware can sometimes still be loaded to a legitimate process that the user knows to be safe (for example, through “hijacking” the task manager).
Why is this UAC-bypass research significant?
A malware setting a single registry value, or running a single command, is all that is needed to prepare the system for an attack at a later time.
The attack method that our research revealed enables the malware to be loaded to a legitimate process and so effectively weakens the mitigation solution described above.
Additionally, our findings “re-open” some of the bypasses that were placed in UACme and considered since to be closed.
How does MS address UAC bypass?
Microsoft regards UAC bypass techniques as insignificant, explaining that these techniques can be used only when the system is already considered compromised.
However, we do know that Microsoft addresses these UAC-bypasses when discovered and releases security fixes for them through Windows Update.