UACMe - Defeating Windows User Account Control

Discussion in 'other security issues & news' started by CloneRanger, Dec 19, 2014.

  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks for posting :).

    I'm assuming that if UAC is set to maximum level, one will get a UAC prompt for an action by a Microsoft program, whose trust will be abused to do potentially bad things.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I must admit that I still miss the whole point of UAC, I guess it's a good thing that apps normally run with "medium integrity" rights. But how will it protect you from malware that you install your self? And it clearly can't stop drive-by attacks. Besides that, it's a pain to operate so I turned it off on Win 8.
     
    Last edited: Dec 19, 2014
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Never run UNIX? Nothing can protect you from yourself outside of stripping all your rights. And tell me how drive by attacks aren't affected when running as a standard user as opposed to admin.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ J_L

    Good point, perhaps it was a wrong assumption about the drive-by attacks. I wonder if there are any stats on how many people get infected by exploits on Win 8, when running as non-admin. But the reason why I'm not a fan of UAC was because of all the alerts when installing software. To me it's pointless, it's not like HIPS who will alert you about suspicious behavior, know what I mean?
     
  6. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Nothing really new.
    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
    http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/

    UAC has its flaws but to call it a "joke" because it does not meet the misguided expectation of it being a security feature is rather lame.

    To understand UAC, read this article by Mark Russinovich
    http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

    Alternatively this for a shorter version:
    https://www.wilderssecurity.com/thre...uac-according-to-one-of-its-designers.273860/

    The fact is UAC wasn't and still isn't meant as a security boundary. It was designed to make running with standard user rights easier. The default setting in Win7 was set as such because most folks complained
    about how noisy UAC was in Vista.

    Disable UAC and there goes all the benefits of Integrity Levels. Do a search on Wilders...there has been quite a number of threads discussing the merits of UAC.
     
  7. guest

    guest Guest

    The problem with UAC, is it allows the user to make a decision. The user is flawed, it's not going to work, get over it!

    It's the same thing with CHIPS and BB, actually.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    From the first link EP_XOFF references:

     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    This makes sense, but if you plan to use your system as admin, does it still have advantages? I couldn't find any on Win 8. Well, perhaps the only advantage is that apps without admin rights can not inject code into (and communicate with) system processes, at least if I'm correct. But if you turn off UAC, apps can auto elevate. And if you don't turn it off you will get annoyed by pointless alerts.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I don't know about Win 8, but it it still does have advantages when running as Administrator, when you have Admin approval mode, because they can still run processes with a Standard user token:

    -http://technet.microsoft.com/en-us/library/dd835561%28v=ws.10%29.aspx

    Of course it is still best to run from a Standard user account.
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @Rasheed

    I agree the alerts can be repetitive and annoying as an admin but search MrBrian's posts on workarounds...

    There goes a lot more behind the scenes than just the alerts you see. If I had to pick between classical HIPS and UAC, I would pick UAC because it enforces medium rights system-wide and things like Integrity Levels (and sandboxes like Chrome's) are affected if you disable UAC.

    The one you see is ugly. The one hidden behind the view...that's where the treasure lies.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Currently I use RunasRob free version to start a program launcher (Folder Menu - desktop image) at login without a UAC prompt in my standard account. The program launcher can then launch other programs without a UAC prompt.
     
    Last edited: Dec 21, 2014
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I think that UAC is mainly designed for people who want to run as a standard user. Whether you disable UAC (on admin account) or not, apps will indeed always run with "medium integrity", which is a good thing. I did notice that on Win 8 you can not completely disable UAC with the standard Windows UAC tool, it will still deny stuff automatically, too bad that nobody has made a list of what it exactly blocks.

    Are you sure? On my system most apps that are launched by explorer.exe, run with "medium integrity". Can they get higher privileges automatically when UAC is turned off? And that's the thing, when you run HIPS and anti-exe, I don't see any advantages that UAC gives, it's just one more useless alert. With anti-exe it makes sense, it will alert because the app is not on the white-list. HIPS will alert about suspicious behavior, which also makes sense.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    I use admin account and SRP so using UAC is mandatory for me. If I disable UAC, program run under my credentials could write to Windows and Program files folders without notification. Malware could then freely run from those whitelisted locations.
    I also prefer using UAC as it gives me information that whatever I'm doing can have system wide consequences. When I mange my system I expect UAC prompt so it would be weird for me not to get any.
     
  15. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @Rasheed

    If you read the Mark Russinovich post, you would understand the purpose behind UAC. Even some MS folks and so-called "experts" get it wrong/confused. UAC itself isn't a security feature...it's a convenience tool to encourage standard rights. If a program is coded with lesser permission rather than automatically running with the highest rights (like in XP), that's where the security is derived.

    In Win8, the "Never Notify" setting no longer disable UAC completely because doing so means losing IL advantage and thus breaks Modern apps (which run in AppContainer). Instead, it autoelevates programs that have set a manifest requesting for higher permission...otherwise, programs run at Medium IL by default.

    If you wish to disable UAC completely, do it through Group Policy or Regedit
    http://www.petri.com/disabling-user-account-control-uac-in-windows-8.htm
     
    Last edited: Dec 21, 2014
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @Rasheed

    Why I prefer UAC over classical HIPS. Believe it or not, UAC, ILs present itself as HIPS that is much simpler on the user requiring lesser decision on their part. You only need to decide whether a program is trustworthy enough to run as admin or not.

    If I run something nasty with admin rights, a classical HIPS might be able to prompt me with alerts but then again I consider that too late. The malware can simply disable my HIPS or send a window message to it to allow the actions (they run on the same desktop after all). If malware can do a lot with very few privileges, the fact I have just given it admin rights mean I'm pretty much screwed.

    When programs run with lesser rights, a number of permissions are stripped...they can do less. I don't have to decide whether a program should be allowed to do xyz. It's like auto-restrictions. With the introduction of UAC, lesser programs are running with admin rights...that is a good thing. The major problem is with installers for desktop programs but we are progressing with Modern apps.

    If you consider that a browser is the main threatgate and that browsers nowadays can employ restrictions through "sandboxes" on their own, I have solved a major part of my setup without having to answer prompts or introducing additional code on my system (3rd party devs are mostly slow to adopt basic mitigations and even at times employ dangerous techniques to make their programs work).
     
    Last edited: Dec 21, 2014
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Talking about classical HIPS and suspicious behavior, I would rather pick an AV to get that job done earlier in the stage before you even run the program. Classical HIPS are better suited to restrict threatgates than to contain damage.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes, I've read it and I understand it better now, so my end conclusion is that it's mostly a tool to promote the usage of "standard user accounts". But this still means that if you're an experienced user that runs as admin protected by HIPS, you might as well just turn off UAC. Especially in Win 8 where UAC will stay partly active in the background, giving some protection, without getting annoying. The part what I don't understand is why UAC can stay quite when you (the user) change system settings, but it can't do the same when you install/run some app.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Don't take this the wrong way, but I think you are way off. The whole purpose of HIPS is to alert you about suspicious behavior, no matter what privileges a certain app has.

    My whole point is: if you decide to install or run some app, you are going to give it admin rights, you haven't got a choice if you are eager to make some app work. So the moment you click on that useless "do you want to run this app" alert, it can do whatever the hell it wants, even when it will run under "medium integrity" after install.

    Only a HIPS/behavior blocker can actually give you a second opinion about the credibility of some app. And it's not that easy to bypass HIPS, even with admin rights. Most of the time you will need to install a driver or inject code for this, which is of course monitored by HIPS.
     
  20. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Regarding standard user accounts, Microsoft only have themselves to blame for people not using them. When you install Windows, you don't get to create a standard account until setup is finished, and there is no information at all about it. You're even encouraged to use your name as the name of the account, and when it finishes it says "Preparing Your Desktop." You are not told anything about how it is preferable to create a standard account afterwards, or why you would want to have more than one account even if you're the sole person that uses a computer. They've had the opportunity to educate people on this, through the screens that show during installation, or during the OOBE phase on a pre-built system, and they haven't taken advantage of it. They could even force you to make a standard account during setup if they wanted.

    No wonder the average person stays as an admin. They don't know any better.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    It depends on what level you set it to. On max it will alert you when you (user) change system settings, on default it will alert you only when applications try to make changes. So how it behaves is set by UAC level.
     
  22. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709

    Trust me...I did not start using classical HIPS yesterday. I am more than aware of its definition and role.

    HIPS= Host Intrusion Prevention System

    It is to prevent intrusion, not contain damage after the fact that you have just executed something. Just because most people expect it to alert them of suspicious behavior after they run something doesn't make it the right thing to do. That falls in the domain of behavior blockers which are superseded by AV technologies.

    Example of where HIPS may come in useful

    When you play a media file and your HIPS alert you that it wants to load a driver...
    When you are browsing the web and wxyz.exe wants to execute....

    If you are suspicious of something, you shouldn't be running it. At the very least, you could have verified it with scanning through AV...where even heuristics may fail. You are underestimating what a malicious exe can do with admin rights if you think your HIPS can save the day

    The point of Medium IL isn't to prevent malware from doing damage. It is to maintain the concept of least privilege. A browser doesn't need admin rights. A media player/file viewer doesn't need admin rights. As simple as that.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I'm sorry, but I'm really missing the point that you are trying to make. If you block some app from injecting code into the browser (anti-banking trojan), installing a driver (anti-rootkit), block access to private data, and block outbound access, how is that not damage control? The malware may run, but won't be able to achieve its goal.

    Isn't this a no brainer? Of course you always first scan the app with some (cloud) AV, but that still doesn't mean the file is clean. And that's why I call HIPS a "second opinion tool", it might indeed still save the day, because if you see suspicious/unexpected behavior you will block it.

    Of course, sometimes you have no choice but to trust some app (for example security tools). It's also possible that some app will bypass HIPS because it uses some new technique or uses some Windows kernel bug. But this type of malware will ask for admin rights and may even work inside LUA, so UAC won't help either.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Did I disagree with this? Like I said, even when your turn off UAC in Win 8 (no more alerts) you still have this advantage, apps will run with "medium integrity" privileges. But I'm not sure if some browser exploit would be able to get "admin rights" because UAC is turned off. Of course when you run/install some app, it might need admin rights and will auto-elevate and try to change system settings, no problem because HIPS will monitor the installation, and it monitors a lot more than UAC does. And besides, UAC isn't even foolproof as you can read.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes I know, you misunderstood me, what I'm saying is: apparently UAC can spot the difference between some app automatically changing system settings, and the manual changing of these settings by the actual user. Which is cool because it won't bother you with alerts. Would be even cooler if it also didn't bother you when you are about to install some app.
     
Loading...