Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Windows Vista: Non-privileged code can redirect shortcuts to intercept privilege elevation requests

From: robpaveza () gmail com
Date: 14 May 2007 05:56:12 -0000
Tested on x86 and x64 editions of Windows Vista Ultimate, though this exploit should function correctly on all x86 and 
x64 editions of Windows Vista.

This exploit requires an attack vector such as a Trojan horse.  However, in light of the enormous success of such types 
of attacks in the past, and the fact that User Account Control (UAC) would be expected to protect the user from doing 
something particularly dangerous to the machine, this should be considered exploitable.

Non-privileged code can be used to replace shortcuts on the Start Menu and intercept elevation of privileges.  Because 
of the way the Start Menu is constructed, users can enumerate all of the shortcuts that appear on their menus because 
they have read access to the folders where the shortcuts reside.  The Start Menu is composited of a common folder and 
the specific user's folder, preferring the user folder if duplicates exist.

Using COM and the .NET Framework, a stub EXE generator can be created that will check for the presence of privilege 
elevation before launching the original target process (in order to not alert the user to the fact that the target is 
infected).  The .NET CLR is installed by default on Windows Vista and so can be used as part of the attack vector.

The proof-of-concept enumerates the shortcuts on the user's menu and the common menu and creates or modified user-local 
shortcuts to exploitable executables via proxy EXEs.  It generates the proxy executables and then writes a text file to 
the Windows\System32 folder once a proxy executable has been run with elevation.  The proof-of-concept code is 
available at http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio 2005 to compile.

A whitepaper detailing the architecture of UAC and this exploit is also available at 
http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf.  The whitepaper details the implementation of the 
Proof of Concept as well, and goes into significantly more detail than this (I'm sorry that this is short, but I've 
been working on writing this up for quite a while and just want it to be over).
Previous By Date Next
Previous By Thread Next

Current thread: