Malware Achieves Privilege Escalation via Windows UAC

Discussion in 'other security issues & news' started by Minimalist, May 23, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    In other words UAC works, as it should, but it is user's fault as always. I would be definitely alerted, if UAC would suddenly request to access registry.
    Not to mention, that they fail to provide info, how the computer is infected. In order to create a service you need UAC approval. It is chicken an egg.
    I delete AppInit_DLL location among with other startup entries before shutdown, so it would fail to run anyway, more detailed POC would be helpful.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    As I understand from this article they use some kind of injection in unelevated Explorer.exe and then hook AicLaunchAdminProcess. Then it waits until user tries to run CMD or regedit elevated and modifies the request. User allows UAC prompt (thinking it is a prompt for his elevated CMD or regedit) and instead elevates a command that attacker wants to run. That's how I understand it.
    I don't think that user should be blamed here. If I right-click CMD and choose Run as Administartor, I expect UAC prompt and I will surely allow it.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    I've read his blog here: http://blog.cylance.com/trick-me-once-shameonuac
    Conclusion:
    1. Always use show details on UAC prompt and check program location (command) before approving.
    2. Don't get ShameOnUac injected into unelevated Explorer.exe in the first place.

    EDIT: it would be nice if there would be an option to always show details in UAC prompt but I couldn't find a setting to make it happen. So we get one additional click before approving.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't understand this. Why would anyone run a malware application in the first place?

    ----
    rich
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Trojans and exploits.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    That is not the point, you can always be tricked into believing that a certain app is malware free. But this attack involves injecting code into Win Explorer, that should always raise suspicion.
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Not really, I verify any new app before running, all POC automatically assume, that the user can get infected in the first place. If I understand it correctly, a malware can bypass UAC after a user allows its setup with UAC, just like another UAC bypass before, which claims, that UAC is useless, well obviously, if the user allows. UAC, just like HIPS or any advanced security is only as good as the user, who controls it. If he allows any prompt blindly, he can as well be running nothing.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    As I understand user doesn't have to allow malware setup as it injects itself in unelevated Explorer.exe. Anti-executable and dll loading control would probably stop infection, but not UAC. How the code would be injected into Explorer.exe is another question.
    Second stage of attack is UAC "bypass" which can be prevented by using show details on UAC prompt and checking what you really want to elevate. If user finds out that UAC prompt is for another command and not the one that he intended to launch, he can deny UAC prompt and by this prevent privilege escalation.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    My point is, you can never be sure if some app is 100% malware free or not. Minimalist already explained the details, but I'm not impressed by this attack. Or perhaps I'm misunderstanding something, because when the ShameOnUAC app is run, it already has admin rights, correct? So of course it's going to inject code into explorer.exe, and if you can inject code into system processes, no wonder you will also be able to hijack UAC, what else is new? End conclusion: HIPS is always needed, and think twice if apps want to inject code into (system) processes.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    According to article, ShameOnUac does not run with admin rights as Explorer.exe is not run with those rights also. Code injection part is conducted without admin rights. After code is injected it is listening for UAC prompts for other processes. When UAC prompt is triggered for specific apps (in this case cmd or regedit) it tempers with that request so that UAC is triggered for action that an attacker wants and not for an action that user wants to elevate. So instead of elevating cmd.exe user might find himself elevating badcommand.bat. The solution is to always click Show details on UAC prompt and check program location just to be sure that elevation was not redirected to some other target command.
    IMO it's smart attack as most users would not double-check UAC prompt which they expect to happen.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    OK, so apps can inject code into other processes without any admin rights, go figure. No surprise then, that UAC can be manipulated quite easily. Code injection is also used by banking trojans for example, to manipulate the browser. Like I said, HIPS will always be needed, and I don't even use UAC.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    But it still has to be run first, so far it looks like it "magically" infect a computer, a full detail report would be great. :doubt:
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Don't all malware have to run first? This app (and any other malware) can be installed/executed either by user or automatically by exploit. So that's not the point.
     
    Last edited: Jun 3, 2015
  15. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    There is so little malware, which can run automatically by exploit than you can actually count it with fingers, AV companies and news regularly scare people with it, but malware does not magically run by itself, when there are passive defences in place, as for the careful user, the chance of him running it are astronomical.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I agree. Plus the exploit needs a vulnerability. And finally a fully patched system lowers the odds further.

    Note that when WIN 10 rolls out, the exploit risk increases due to the higher number of vulnerabilities in a new OS.
     
    Last edited: Jun 3, 2015
  17. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Indeed, new services, new Windows tasks and I am not even mentioning "the great" store, which can not be simply disabled like in 8.1, since even Windows Updates, control panel and other system components are linked through it, they even replaced Calc with a metro app, MS was so bothered with 50 KB app. :confused:
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    The point that I was trying to make is: a statement like "if malware can't run, it can't do any damage", hasn't got a lot of value, because it's a no brainer. Of course people use AV's and try to download apps from trusted websites. But still a lot of people (and companies), who are a lot less tech savvy and paranoid than us, get infected every day.

    Especially banking trojans and ransomware have been a relatively big problem the last few years. Malware is mostly delivered by exploits and by so called "Spear-phishing" attacks. The holy grail would be an AV that would detect 100% of malware, but since that will never exist, I'm sticking with my "trust no app" motto. That's why I'm using HIPS, sandboxing and system monitoring tools.
     
  19. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Sure, but since this topic is about UAC, we are basically talking only about skilled IT users, common users either use default UAC or disable it completely.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I'm sorry but that doesn't make any sense whatsoever. The point is, even skilled IT users can be tricked into running a malicious app that is able to bypass any AV. What we discovered in this attack, is that malware doesn't even need any admin rights, in order to hijack UAC.
     
  21. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Once it is run, it does not need admin rights, but it still has to be run first, it is a chicken and egg problem.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Yes, and that's what triggered this whole discussion. I mean why mention this no-brainer in the first place? :D

    What's more interesting to me is how to stop malicious or unwanted actions, AFTER you run some app. Keep in mind, there is no way to know if apps are 100% legit or not. In theory, a writer of one of your favorite tools might decide to turn it into malware. That's exactly what happened with Orbit Downloader. Or a server of a software company might be hacked, that's happened with the maker of GOM Player last year.
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    Yes, it's about UAC. Running or executing a code is not what is monitored by UAC. So saying something has to run to evade UAC is a little off topic IMO.
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    UAC does create possibilities of elevated privilege that don't exist without it. For example, If I try to copy a file to the program files directory on this Xp computer, it is flat out denied and the only way to do it is to either start an administrator prompt with the password or fully log onto the administrator account. With UAC, you get a prompt and if you know the password or don't have one and click yes, the file is copied. If a script on a web page tries to do this, it will silently fail without UAC but with it you will get a warning that something funny is going on on this page due to the unexpected prompt. If you don't understand what the prompt means and say yes, you've allowed an infection.
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,053
    Yes that's why it's mostly useless for users that don't understand those prompts and just allow everything using their admin account.
    In this case prompt is not unexpected, though. You intentionally try to elevate one program (cmd or regedit) and UAC gets redirected to elevate something else.
     
    Last edited: Jun 5, 2015
Loading...