Exploiting Environment Variables in Scheduled Tasks for UAC Bypass

Discussion in 'other security issues & news' started by WildByDesign, May 15, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Exploiting Environment Variables in Scheduled Tasks for UAC Bypass
    By James Forshaw of Google Project Zero

    Link: https://twitter.com/tiraniddo/status/864245310440316928


    Link: https://twitter.com/tiraniddo/status/864245503432806401

    Blog Article: https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html

     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Just realized this:
    Damn...

    EDIT: Auto-elevated to Admin command prompt on my Creators Update machine despite having UAC on highest setting without any prompt.

    The blog also provides a method to mitigate this exploit.
     
    Last edited: May 15, 2017
  3. guest

    guest Guest

    Yep using task scheduler was already used , seems still a viable attack vector. Again we see cmd and Powershell used. If blocked (as i do), it won't work.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Most HIPS alert about task creation, but yes UAC is easy to bypass, we all know that.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.