Bugtraq mailing list archives

Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 10 Sep 2015 17:16:37 +0200

I wrote ... and forgot some mitigations:

[...]

Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel"
~~~~~~~~~~~~~~~~  instead of mine for Windows NT4):

1. get <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (this is a
   32-bit executable [*]; the 64-bit executable is available on request);

2. copy SENTINEL.DLL as %SystemRoot%\ACLUI.DLL (use the method shown
   in <http://seclists.org/fulldisclosure/2015/Mar/92> to bypass UAC);

3. execute %SystemRoot%\RegEdit.exe


Mitigation(s):
~~~~~~~~~~~~~~

1. For %! In (%SystemRoot%\*.exe
              %SystemRoot%\*.dll) Do If Not Exist %SystemRoot%\System32\%~nx! MkLink /H %SystemRoot%\System32\%~nx! %!

  This but only helps if RegEdit.exe is not called with its fully
  qualified pathname %SystemRoot%\RegEdit.exe

2. Define ACLUI.DLL as "known DLL":

   [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs]
   "aclui"="ACLUI.DLL"


3. Prevent elevation of RegEdit.exe per UAC in "protected
   administrator" accounts:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
   "C:\Windows\RegEdit.Exe"="RUNASINVOKER"

   [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
   "C:\Windows\RegEdit.Exe"="RUNASINVOKER"

4. Demote your "protected administrator" account created during Windows
   setup to a standard user account.

   See <http://windows.microsoft.com/en-us/windows/user-accounts-faq>
   and <http://windows.microsoft.com/en-us/windows/change-users-account-type>:

   | When you set up Windows, you were required to create a user account.
   | This account is an administrator account that allows you to set up
   | your computer and install any programs that you'd like to use. Once
   | you finish setting up your computer, we recommend that you create a
   | standard account and use it for your everyday computing. If you create
   | new user accounts, you should also make them standard accounts. Using
   | standard accounts will help keep your computer more secure.

[*] see <http://home.arcor.de/skanthak/sentinel.html>


stay tuned
Stefan Kanthak

PS: more than 22 years after introduction of Windows NT Microsoft STILL
    continues their VERY BAD and REALLY NASTY habit to give the user
    account(s) created during Windows setup administrative rights!

    No, UAC is NOT a security boundary, but just a convenience feature:
    see <https://support.microsoft.com/en-us/kb/2526083>,
    <https://blogs.msdn.com/b/e7/archive/2009/02/05/update-on-uac.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2007.09.securitywatch.aspx>,
    <https://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx>, ...

    Jane and Joe Average will happily give consent to almost any program
    (like RegEdit.exe) which asks for elevated privileges, DESPITE most
    warnings!

Current thread:

Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe Stefan Kanthak (Sep 09)
- Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe Stefan Kanthak (Sep 10)