Privilege Escalation exploits?

I know that theoretically malware can bypass LUA with the use of these exploits, but in reality how common is this? Can anyone actually provide real world examples of malware which successfully bypasses LUA in this way? Are there any known malware or even POCs which can bypass LUA?

 

Yes it can be done,no it isn't that common is the simple answer.This article is a good reference:

http://www.prevx.com/blog/83/Is-Limited-User-Account-enough-Not-really.html

 

http://isc.sans.org/diary.html?date=2009-03-13

http://www.symantec.com/connect/blogs/privilege-escalation-exploit-wild

 

Thanks for the response guys, it seems to me that privilege escalation is extremely rare and difficult. Those articles are 2,3 and 1 years old respectively. One deals with usermode rootkits and loggers which can be dealt with by AM apps with admin privileges, another requires personal access to the target(at which point all bets are off) and the third applies primarily to servers. Are you guys aware of any malware currently doing the rounds with privilege escalation capabilities (Edit: specifically targetted at non-server editions of windows)?

 

Hot or Not: Local privilege escalation vulnerabilities

 

Dreg Hedda,

As a shameless policy management promotor I have done some testing on my brother's in law Windows7 x64 machine (on his bare bone Windows 7 OS, don't worry I re-formatted the drive and made sure he got a clean install).

I dare say that it is safe to run as an Admin Account (no fear of elevation intrusions), with the following prerequisites

1. Running full UAC (be so smart to set it to max it after you have installed everything), so that is one position higher than the default UAC (which does not kick in on registry changes).
Benefit: you get an elevation request on all intrusions to the System/Admin space

2. Running your internet facing applications with Medium rights (IE runs with Lowest rights by default, Tabs of Chrome also run with lowest rights). When running UAC this is realised by default. When you do NOT want to receive elevation request (to PREVENT USER MISTAKES), then setting the intergrity rights to M (Medium), with ICACLS.EXE does the trick
Benefit: when an application request elevation it is SILENTLY denied, so this excludes user mistakes (normally all internet facing applications should run well with Medium rights)

3. Applying the deny execute registry trick and use Chrome
When you change the value, below Chrome is allowed to download a file, but Explorer does not allow it to be executed.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
add a REG_DWORD rename it to 1806 and give it a hexidecimal value 3, it should show
1806 REG_DWORD 0x00000003 (3)

This deny execute ACCESS limitation can be removed by right clicking on a downloaded executable, select properties and select the general tab, on the bottem there is a security block which can be removed (permanently).

When you use windows ZIP, this marker is even saved when extracting executables from a ZIP-archive (note other archive managers like 7-zip do not copy the ADS marker).

benefit: you add a selective ACCESS limitation (which effectively acts as a deny execute), which can be removed for files you do want to execute (stops drive by download infections)


4. As said Chrome is the most elegant browser to use the registry trick with (IE8 even does not let you doenload it, FF seems to download a zero bytes executable). Two years in seccession Chrome was not hacked at the PWN2OWN contest.
With WIn7 lower objects are not allowed to change higher rights objects. This still leaves the option open for side by side infections. Chrome's sandbox does not allow side by side infections, so in x64 (and in the browser). It is advisble to use the --safer-plugins switch this also sandboxes flash, pdf plugins etc.

Benefit: add an extra policy sandbox with Chrome which applies stronger policy limitations than Microsoft does.


Note:
With the 'normal' features of the OS, chances are also very low in reality


Regards Kees

 

LUA is good but not 100 percent. no single app is 100 percent. So you can't totally rely on LUA as your only security measure. you need other security app's
as well without going overboard.

 

To be honest when you add free facebook PrevX safe online and free Avast (file shield) and siteadvisor for Chrome to the above setup, I think an average user can't go wrong (will never be infected in practise), ergo does not need any security application.

 

Interesting read MrBrian! But again the article is 3 years old, and it seems that the rise of these exploits have not taken off as the article predicts. It seems to me that so few people run as LUA that malware writers just dont seem to bother coding privilege escalation into their nasties.

 

Hi Kees,

Fascinating post as always. I am not currently using x64, but I will assume everything you've posted is equally applicable to x32. I have two main questions regarding the registry trick:

1) Does it work with Iron?

2) Does it apply to all executable types or only .exes?

EDIT: Oh and thanks for the info on UAC regarding registry protection, I was not aware of this.
Thanks.

 

Hi Arran,

LUA is not my only line of defence, but the reason I ask this question is because I am interested in seeing how much protection it gives alone. Also from a intellectual perspective I am curious. For the longest time Ive been against LUA due to privilege escalation exploits. However I recently realised that it was illogical distrusting LUA based on theoretical privilege escalation exploits and so I started this thread to see just how common this vulnerability was in reality.

 

I have been running for a long time with LUA/SRP and no real-time security apps. I just have some on-demand scanners to check files I download. Every couple of weeks I run a scan over the system partition with Avira, Malwarebytes and AVZ and they never find anything. It really does work, it uses no resources, causes no BSODs and needs no updates. Things like the TDL3 rootkit or mbr rootkits can't install under a limited account. This is much preferable to trying to find it with a rootkit detector after the fact.

Of course that's illogical. Just because there are privilege escalation exploits it makes no sense to run as admin and save them the trouble of even needing an exploit

BTW, this is why it's important to keep the OS and vulnerable software patched. The patches for Blaster and Sasser were out long before the malware, so anyone that got hit with that only had himself to blame. Same for Adobe Reader, Flash and Java.

 

It's true that in general malware writers nowadays aren't that bothered about trying to circumvent well protected systems.They're just after a fast £ and the simple fact is there's far easier ways to get malware onto the most systems possible,as illustrated by the huge number of rogue AMs out there.

 

Remember though that by default admin users (except for the Administrator account) in Vista and Win 7 have a filtered token, so a privilege escalation exploit would be useful even in admin accounts in order to avoid a UAC prompt.

 

This for me seems to work differently than you describe. I'm using Win 7 Pro with IE8. By default and since installing Win 7, any download will have in the file properties, general tab, an Unblock button.



If I do not select the Unblock and apply it but do decide to install the download by clicking it, the app will install without any problems.



It appears that something is wrong with my settings on this. With that thought in mind, I open up gpedit and apply a few settings



Risk level is set to high, all file types and then some are added. Me thinks that this is the ticket but it's not. It works to only allow the file/files to appear as though they are downloaded but when the download is complete it will not write it to disk which I'm thinking that it should write to disk and give me the option to unblock through the file properties or at least prevent it from launching/installing. Here's what I get.



OK, I can accept that it blocks the writing to the disk of said download. Seems secure enough even though I don't think this is how it's suppose to work. I'm wrong again, it's not secure at all, whilst the dialogs above in the screenshot are still visible on the screen, meaning I have not selected the OK button, I can open the Download folder, cut the downloaded file and paste it any where on any disk and the file will save without the Unblock button in the properties page and the file of course will run without any prompt other than UAC. If I do select the OK button in the dialog, then the file wil not be written to the disk, no download. What's wrong? What kind of dialog warning am I suppose to be getting providing that the download writes to disk? I thought it went like this, download file, click to launch, warning dialog appears giving hint that if one trusts the download, one would have to select the Unblock button.

 

Yup works on x32 to. As far as I know, Trusteer does not work with Iron, but PrevX safe online does (get the face book freebie).
Works on all types of executables (all high risk files see http://support.microsoft.com/kb/883260 )

Try to read about icacls.exe it really is a good tool of the OS
http://www.computersplace.com/icaclsexe-acl-command-line-management/windows-server/
http://www.symantec.com/connect/articles/introduction-windows-integrity-control
http://msdn.microsoft.com/en-us/library/bb625965.aspx

 

Sorry, when on Windows Pro you must use the Gpedit.msc for it.

Go to (hopefully translated from dutch to ebglish correctly) User configration,
Management templates (?), Windows, Internet Explorer, look for something called options, tab SECURITY
Look for the internet zone may be something like "Start programs and unsafe files", select configure, select deny (not allowed)"

Note IE8 works dfifferently, it does not allow you to download executables. When you set the default level to high, no file is allowed to down load. So keep this standard ("default risk level attachement" or specify the extentions explictely in the "exclusion list"

I am not on Win7, my brother in law has a Windows7 Home.

Regards Kees

 

I reset the other to the default settings, I think I found the one you refer to,
Windows Components>Internet Explorer>Internet Control Panel>Security Page>Locked-Down Internet Zone>Launching programs and unsafe files. I tried every combination and it doesn't work. I also tried it at Internet Zone. Even if I have prompt selected, I get no prompt, If enable is selected with disabled selected in the drop down, file stil launches. All of this is done with the Unblock button still being active in the properties page. Any ideas?

 

No I have not,

Setting it at the internet zone should do the the trick (enable, disallow). Re-boot and try? Are you using IE8 32 bits?

Only other solution is to re-set all GPEDIT settings to default and try (isolating the problem and try)


Regards Kees

 

IE8 32 bit. Ah, no reboot, that has to be the problem.

 

Nah, no go with that either. Here's what I get now



This must not work for any Pro editions of Windows. In XP it's pretty much the same way, it blocks the download from being downloaded. It seems my choices are,
1) Leave it at default, which is I have an Unblock button but it's useless because the file will still execute without applying the Unblock button.
2) Put it back to the way I had it a few posts earlier, again kinda useless since the file will download but will seemingly not write to disk although I can copy/cut the file before accepting the OK in the warning box and paste on any disk and freely launch from there without an Unblock button.
3) Keep it the way it is now, files won't download, period.lol

I filtered configured items in Group Policy. I only have two IE related, scan with AV and this one.

 

Greg

Congrats, you get exactly what you want.

As I said
1)
On IE8 it prevents download of high risk types (default all executables)
ON Chrome it allows download
2)
When such a file attachement is downloaded, explorer does not allow you to execute it.


My suggestions: leave the high risk attachments to the default value. That messed up how it works (when you specify additional high risks, you need to specify all the default risks to). Use the BLOCK ON/OFF reg files I added (the txt file) in the one of the earlier posts. Read them again

the try https://www.wilderssecurity.com/showthread.php?t=261346
the tested https://www.wilderssecurity.com/showthread.php?t=262475

Just try a download with swtch OFF, next switch switch block ON, now try to execute it.

Regards

 

The answer may depend on what you mean by "bypass".

User accounts are a security boundary and theoretically there should be no way to bypass them short of a bug in the OS.

Third party app vulnerabilities or apps with poorly configured ACLs could allow code to escape a user account and "bypass" a LUA. MrBrian has posted links regarding this in the past.

I've watched what I believe was a zero-day local escalation exploit trash a password protected admin account from within a LUA a couple of years ago (fully patched system); so yes, I can tell you there are such exploits in the wild.