UAC (User Account Control) discussion thread

Discussion in 'other security issues & news' started by MrBrian, Jan 3, 2015.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've verified that the POC bypasses UAC at max level on Windows 8.0.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The POC gives error messages on Windows 7 with UAC at max level, so I'm not sure if the technique works on Windows 7.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From UAC Bypass:
     
  5. guest

    guest Guest

    I'll be writing a book and I will title it as: Into the Marketing - Microsoft's Dirty Game of Vulnerability Patching. :rolleyes:

    I might be going to just register another mad experiment to disable the Task Scheduler altogether, that is after I have my image backup ready in hand. Don't try this at home people. ;)
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Under Windows 10 with the PoC I got: Failed to run as admin
    So looks like only Windows 8/8.1 is affected. Sadly MS has no desire to fix this one.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tested the POC in the above link on both Windows 8.1 and Windows 7. On Windows 8.1, it bypasses UAC (set to max). On Windows 7, it does not. I installed PowerShell 4.0 on Windows 7 in order to run the POC without errors.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Steps to reproduce:
    1. In an admin account, set UAC to max level.
    2. On older operating systems, you may need to install PowerShell 4.0.
    3. Copy the code in the two boxes in the first post in https://social.technet.microsoft.co...ed3127fc225b/uac-bypass?forum=w8itprosecurity to a file ending with extension .ps1.
    4. Start PowerShell.
    5. At the PowerShell prompt, type set-ExecutionPolicy -Scope:process Unrestricted
    6. Type the name of the file that you created in step 3. If you get an error message, see step 2.

    The POC opens a command prompt with admin privileges if it succeeds. When I tried it on Windows 7, no command prompt was opened.
     
    Last edited: Jan 16, 2015
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,165
    Location:
    Slovakia
    When Powershell is disabled in Windows features, it does not work, right? :doubt:
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,402
    Location:
    Slovenia
    Yes as I understand if Powershell or scripting is disabled this POC won't work. Though I don't know if there are any other ways to exploit this bug...
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
  14. guest

    guest Guest

    If I may ask, do you have problems with the startup of third-party security software (if you are using any)?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    No, not at all. And besides, a good security tool should not rely on the Task Scheduler. It should autostart with a service.
     
  16. guest

    guest Guest

    Thanks. :) It appears that I can't disable the Task Scheduler since all of my autostart apps are dependent on it to start. Very unfortunate indeed.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    @ GrafZeppelin

    Can you tell which ones, and why those apps depend on it? My autostart apps run from registry and startup folder.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From a new comment at https://code.google.com/p/google-security-research/issues/detail?id=156&can=1:
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  20. guest

    guest Guest

    Well, CIS won't start if I disabled Task Scheduler. There's one task entry that activates CIS' protection at boot.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    That sounds weird, why would it need the TS? It should be able to start without it.
     
  22. guest

    guest Guest

    That's the problem, it can't. I've tested it myself and it won't start automatically.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    Then I have to call CIS a joke, I'm sorry.
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I run UAC max security while using a standard account, requiring an admin password for UAC protected actions.
     
  25. guest

    guest Guest

    Yeah, that does not turn out to be the way I would want. But I need CIS nonetheless, so I might consider LUA to mitigate UAC's bypass in Windows 8.1. Still don't understand why won't they patch it. Ugh... damn marketing team. :rolleyes:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.