Discussion in 'other security issues & news' started by MrBrian, Jan 3, 2015.
I've verified that the POC bypasses UAC at max level on Windows 8.0.
The POC gives error messages on Windows 7 with UAC at max level, so I'm not sure if the technique works on Windows 7.
LOL, another reason to disable the Task Scheduler. Seems like service tweaking is not a bad idea at all.
From UAC Bypass:
I'll be writing a book and I will title it as: Into the Marketing - Microsoft's Dirty Game of Vulnerability Patching.
I might be going to just register another mad experiment to disable the Task Scheduler altogether, that is after I have my image backup ready in hand. Don't try this at home people.
Under Windows 10 with the PoC I got: Failed to run as admin
So looks like only Windows 8/8.1 is affected. Sadly MS has no desire to fix this one.
I tested the POC in the above link on both Windows 8.1 and Windows 7. On Windows 8.1, it bypasses UAC (set to max). On Windows 7, it does not. I installed PowerShell 4.0 on Windows 7 in order to run the POC without errors.
Steps to reproduce:
1. In an admin account, set UAC to max level.
2. On older operating systems, you may need to install PowerShell 4.0.
3. Copy the code in the two boxes in the first post in https://social.technet.microsoft.co...ed3127fc225b/uac-bypass?forum=w8itprosecurity to a file ending with extension .ps1.
4. Start PowerShell.
5. At the PowerShell prompt, type set-ExecutionPolicy -Scope:process Unrestricted
6. Type the name of the file that you created in step 3. If you get an error message, see step 2.
The POC opens a command prompt with admin privileges if it succeeds. When I tried it on Windows 7, no command prompt was opened.
I changed step 5 in the last post; see http://virot.eu/is-your-execution-policy-unrestricted-for-the-entire-machine/ for details on what this command does.
When Powershell is disabled in Windows features, it does not work, right?
Yes as I understand if Powershell or scripting is disabled this POC won't work. Though I don't know if there are any other ways to exploit this bug...
These particular POCs won't work anymore if you disable PowerShell, but the technique isn't specific to PowerShell.
Disabling Task Scheduler though might stop the technique. However, see Why You Shouldn’t Disable The Task Scheduler Service in Windows 7 and Windows 8.
Well, I have done it on Win 8, and I don't see any problems. It probably depends on what kind of apps you're using. But I've always seen the Task Scheduler as a security risk, and looks like I was right.
If I may ask, do you have problems with the startup of third-party security software (if you are using any)?
No, not at all. And besides, a good security tool should not rely on the Task Scheduler. It should autostart with a service.
Thanks. It appears that I can't disable the Task Scheduler since all of my autostart apps are dependent on it to start. Very unfortunate indeed.
Can you tell which ones, and why those apps depend on it? My autostart apps run from registry and startup folder.
From a new comment at https://code.google.com/p/google-security-research/issues/detail?id=156&can=1:
I tested on build 9901, so that could be the difference. Although I could very well have done something wrong there. Thanks for the update.
Well, CIS won't start if I disabled Task Scheduler. There's one task entry that activates CIS' protection at boot.
That sounds weird, why would it need the TS? It should be able to start without it.
That's the problem, it can't. I've tested it myself and it won't start automatically.
Then I have to call CIS a joke, I'm sorry.
I run UAC max security while using a standard account, requiring an admin password for UAC protected actions.
Yeah, that does not turn out to be the way I would want. But I need CIS nonetheless, so I might consider LUA to mitigate UAC's bypass in Windows 8.1. Still don't understand why won't they patch it. Ugh... damn marketing team.
Separate names with a comma.