Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Not a Security Boundary:
New Methods for
Bypassing User Account
Control
Matt Nelson (@enigma0x3)
SpecterOps
@enigma0x3
 Job: Red Teamer and Security
Researcher at @SpecterOps
 Trainer: BlackHat 2016, ATRTO
 Blogger: enigma0x3.n...
tl;dr
 UAC/Integrity Level Overview
 Bypass Research Overview
 Bypass Evolution
 Mitigations
 Demos throughout!
3
UAC: What is it?
 UAC == User Account Control
 “UAC is meant to enable users to run with standard
user rights, as oppose...
Who Cares?
 Every organization has users in the Local
Administrators group
 A common answer is “We have UAC set to Alway...
““Attackers don’t care about
security boundaries” - Jessica
Payne at MSIgniteNZ
(@jepayneMSFT)
6
https://twitter.com/jepay...
Security Boundary?
7
https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-account-control-and-
secur...
Security Boundary?
8
https://web.archive.org/web/20070303183621/http://microsofttech.fr.edgesuite.net/msexp/downloa
d/0370...
1.
UAC/Integrity
Level Overview
How these tie together
9
Integrity Levels
 An Integrity Level is assigned to a security access
token
 Defined by SID; assists in Access Control f...
Integrity Levels
11
https://msdn.microsoft.com/en-us/library/bb625963.aspx
Integrity Levels
 When researching UAC, we are mostly interested
in 2 integrity levels:
 High Integrity (HI) security ac...
UAC Levels
 UAC level determines the notification level
 Technically 4 levels: Always Notify, Notify (Secure
Desktop), N...
14
2.
Bypass Research
Overview
A Quick Example
15
Purpose
 Silently obtain a HI security access token without
raising suspicion to the user
 Often executed from an agent ...
Don’t be this guy....
17
Elevation Objects
 Identify objects that silently elevate
 Scheduled Tasks, Auto-Elevate Windows Binaries,
COM interface...
Elevation Objects
19
Elevation Objects
20
Abusing These Objects
 After identifying an object that reads from a
location you can modify, determine how to abuse
it
...
Abusing These Objects
22
3.
Bypass Evolution
Then there was light
23
Disclaimer
 There are many public UAC bypasses that
currently exist
 Most definitive source for all bypasses is @hfireF0...
IFileOperation
 Leo Davidson released PoC code in 2009
 One of the first UAC bypasses to publically be
released
 IFileO...
IFileOperation
26
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Bypass-UAC/Bypass-UAC.ps1
https://youtu.be...
WUSA
 Original Finder: Vozzie
 Windows Update Standalone Installer
 Auto-Elevating Windows binary
 Pre-Windows 10, has...
WUSA
28
https://youtu.be/HPozzQHJez0
Registry Modification (eventvwr.exe)
 Abuses Registry verb handlers
 Shellopencommand, isolatedCommand, etc
 These valu...
Registry Modification (eventvwr.exe)
30
Registry Modification (eventvwr.exe)
31
Registry Modification (eventvwr.exe)
32
https://youtu.be/vauUN_vaL8I
33
https://twitter.com/JohnLaTwC/status/817010045464367111
Registry Modification (eventvwr.exe)
◈ Microsoft actually issued a fix in Windows 10 RS2 (15031)
34http://www.winhelponlin...
Race Condition (Disk Cleanup)
 Found by @mattifestation/@enigma0x3
 Windows 10 Scheduled Task with “Run with
Highest Pri...
Race Condition (Disk Cleanup)
36
Race Condition (Disk Cleanup)
37
Race Condition (Disk Cleanup)
38
Race Condition (Disk Cleanup)
39
https://youtu.be/tryZ_45kQOw
Environment Variables (Disk
Cleanup)
 Discovered by James Forshaw (@tiraniddo)
 Same Scheduled Task as the Race Conditio...
Environment Variables (Disk
Cleanup)
41https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
Environment Variables (Disk
Cleanup)
 Hijacking the %windir% environment variable can
lead to silent elevation when the t...
Environment Variables (Disk
Cleanup)
43
https://youtu.be/KQC7wAEMsTQ
COM Hijacking
 Finders: @FuzzySec/@enigma0x3
 Hijack InProcServer32, Server or LocalServer32 &
invoke an auto-elevating ...
COM Hijacking
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-F424491...
COM Hijacking
46
https://youtu.be/0tD7wHvblmA
Token Manipulation
 Discovered by James Forshaw (@tiraniddo):
 https://tyranidslair.blogspot.com/2017/05/reading-
your-w...
Token Manipulation
48
https://youtu.be/xpbC9M2sGpM
Token Manipulation
49
 https://github.com/FuzzySecurity/PowerShell-
Suite/blob/master/UAC-TokenMagic.ps1 by
@fuzzysec
 T...
Token Manipulation
50
 Re-implemented via PSReflect 
 https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/I...
4.
Mitigations
Let’s Be Real
51
Local Admin Accounts
◈ Every environment I have ever operated in had a
percentage of users that were local administrators
...
Stop Running as a Local
Administrator
 Why do users need to be local administrators?
 Stop it.
 Seriously.
 Practice r...
CREDITS
 Special Thanks:
 James Forshaw (@tiraniddo)
 Ruben Boonen (@FuzzySec)
 Matt Graeber (@mattifestation)
 @hfir...
55
THANKS!
Any questions?
@enigma0x3
matt@specterops.io
Resources
 https://blogs.technet.microsoft.com/markrussinovich/2007/
02/12/psexec-user-account-control-and-security-
boun...
Upcoming SlideShare
Loading in …5
×

Not a Security Boundary: Bypassing User Account Control

4,491 views

Published on

Talk at DerbyCon 2017 on User Account Control bypass methodology and history.

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Not a Security Boundary: Bypassing User Account Control

  1. 1. Not a Security Boundary: New Methods for Bypassing User Account Control Matt Nelson (@enigma0x3) SpecterOps
  2. 2. @enigma0x3  Job: Red Teamer and Security Researcher at @SpecterOps  Trainer: BlackHat 2016, ATRTO  Blogger: enigma0x3.net  Speaker: Various BSides, DerbyCon, ShmooCon, OPCDE  Other: Multiple CVEs for Device Guard research, plenty of UAC bypasses & COM lover 2
  3. 3. tl;dr  UAC/Integrity Level Overview  Bypass Research Overview  Bypass Evolution  Mitigations  Demos throughout! 3
  4. 4. UAC: What is it?  UAC == User Account Control  “UAC is meant to enable users to run with standard user rights, as opposed to administrative rights”  If user == Local Administrator, two tokens are assigned to the logon session (split-token admin)  If a user is not a local admin, UAC offers Over-the- Shoulder (OTS) elevation  We will be focusing on the split-token admin scenario 4 https://technet.microsoft.com/en-us/library/2007.06.uac.aspx?f=255&MSPPError=-2147217396
  5. 5. Who Cares?  Every organization has users in the Local Administrators group  A common answer is “We have UAC set to Always Notify”, so we are safe  Attackers encounter UAC all the time  Roadblock between them and their objective  Blue: Are you aware of all the users in your environment that are running as Local Administrators? 5
  6. 6. ““Attackers don’t care about security boundaries” - Jessica Payne at MSIgniteNZ (@jepayneMSFT) 6 https://twitter.com/jepayneMSFT/status/791702594309677056
  7. 7. Security Boundary? 7 https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-account-control-and- security-boundaries/ “What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. “ - Mark Russinovich
  8. 8. Security Boundary? 8 https://web.archive.org/web/20070303183621/http://microsofttech.fr.edgesuite.net/msexp/downloa d/0370/0370_pres.zip
  9. 9. 1. UAC/Integrity Level Overview How these tie together 9
  10. 10. Integrity Levels  An Integrity Level is assigned to a security access token  Defined by SID; assists in Access Control for various OS components  Mandatory access token policies  TOKEN_MANDATORY_NO_WRITE_UP, TOKEN_MANDATORY_NEW_PROCESS_MIN  The Security Reference Monitor compares the user/group SIDs in the security access token with the ACL on an object to determine access 10
  11. 11. Integrity Levels 11 https://msdn.microsoft.com/en-us/library/bb625963.aspx
  12. 12. Integrity Levels  When researching UAC, we are mostly interested in 2 integrity levels:  High Integrity (HI) security access tokens == Administrator  Medium Integrity (MI) security access token == Normal user  Split-Token admin processes are assigned a MI security access token  Elevation via UAC == granted HI security access token 12
  13. 13. UAC Levels  UAC level determines the notification level  Technically 4 levels: Always Notify, Notify (Secure Desktop), Notify (No Secure Desktop), Never Notify  Realistically, there are only 2 we care about  Always Notify and the Default (Notify w/ Secure Desktop) 13
  14. 14. 14
  15. 15. 2. Bypass Research Overview A Quick Example 15
  16. 16. Purpose  Silently obtain a HI security access token without raising suspicion to the user  Often executed from an agent (Meterpreter, Empire, Beacon, etc.)  You aren’t bypassing anything if you elevate while logged in via the GUI  At that point, you can just click “Yes” on the UAC prompt... 16
  17. 17. Don’t be this guy.... 17
  18. 18. Elevation Objects  Identify objects that silently elevate  Scheduled Tasks, Auto-Elevate Windows Binaries, COM interfaces, etc.  Take these objects and trace their various execution behavior  Determine any locations these objects interact with that a MI process can manipulate  Can be registry keys, files, folders, etc. 18
  19. 19. Elevation Objects 19
  20. 20. Elevation Objects 20
  21. 21. Abusing These Objects  After identifying an object that reads from a location you can modify, determine how to abuse it  Registry key additions  Environment variable manipulation  Winning a race condition  After modifying, these elevating objects should read and pull your payload 21
  22. 22. Abusing These Objects 22
  23. 23. 3. Bypass Evolution Then there was light 23
  24. 24. Disclaimer  There are many public UAC bypasses that currently exist  Most definitive source for all bypasses is @hfireF0x’s UACME project: https://github.com/hfiref0x/UACME  This section only highlights the evolution of bypass tradecraft, not specific techniques.  I will not cover every bypass nor every technique (we would be here for hours) 24
  25. 25. IFileOperation  Leo Davidson released PoC code in 2009  One of the first UAC bypasses to publically be released  IFileOperation::CopyItem()  Has to be invoked from inside a Microsoft signed binary (can be spoofed)  A privilege file copy opens up the possibility for a DLLHijack  Fixed in Windows 10 RS2 (15007) 25
  26. 26. IFileOperation 26 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Bypass-UAC/Bypass-UAC.ps1 https://youtu.be/HPozzQHJez0
  27. 27. WUSA  Original Finder: Vozzie  Windows Update Standalone Installer  Auto-Elevating Windows binary  Pre-Windows 10, has an “/extract” flag  Allows extraction of a cab from one location to another  Cab a payload using makecab and perform a privileged file copy using: wusa <path> /extract <path> 27
  28. 28. WUSA 28 https://youtu.be/HPozzQHJez0
  29. 29. Registry Modification (eventvwr.exe)  Abuses Registry verb handlers  Shellopencommand, isolatedCommand, etc  These values determine the binary and parameters for a specified verb  Many binaries can be used here  More: https://enigma0x3.net/2016/08/15/fileless- uac-bypass-using-eventvwr-exe-and-registry-hijacking/ 29
  30. 30. Registry Modification (eventvwr.exe) 30
  31. 31. Registry Modification (eventvwr.exe) 31
  32. 32. Registry Modification (eventvwr.exe) 32 https://youtu.be/vauUN_vaL8I
  33. 33. 33 https://twitter.com/JohnLaTwC/status/817010045464367111
  34. 34. Registry Modification (eventvwr.exe) ◈ Microsoft actually issued a fix in Windows 10 RS2 (15031) 34http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10- creators-update/
  35. 35. Race Condition (Disk Cleanup)  Found by @mattifestation/@enigma0x3  Windows 10 Scheduled Task with “Run with Highest Privileges” set  Creates a folder in %localappdata%Temp<guid>  Executes dismhost.exe in a HI context  Dismhost.exe loads DLLs from the temp directory  Fixed in Windows 10 RS2 (15031) 35
  36. 36. Race Condition (Disk Cleanup) 36
  37. 37. Race Condition (Disk Cleanup) 37
  38. 38. Race Condition (Disk Cleanup) 38
  39. 39. Race Condition (Disk Cleanup) 39 https://youtu.be/tryZ_45kQOw
  40. 40. Environment Variables (Disk Cleanup)  Discovered by James Forshaw (@tiraniddo)  Same Scheduled Task as the Race Condition  Utilizes an environment variable in its action  These environment variables can be modified without elevation  HKEY_CURRENT_USEREnvironment 40
  41. 41. Environment Variables (Disk Cleanup) 41https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
  42. 42. Environment Variables (Disk Cleanup)  Hijacking the %windir% environment variable can lead to silent elevation when the task is ran  reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM “  More: https://tyranidslair.blogspot.com/2017/05/exploitin g-environment-variables-in.html 42
  43. 43. Environment Variables (Disk Cleanup) 43 https://youtu.be/KQC7wAEMsTQ
  44. 44. COM Hijacking  Finders: @FuzzySec/@enigma0x3  Hijack InProcServer32, Server or LocalServer32 & invoke an auto-elevating binary that instantiates that COM object  Our malicious binary loads 44
  45. 45. COM Hijacking Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11-F424491E3931}] [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11- F424491E3931}Server] @="C:UsersMattDesktopMessageBox64.dll " 45
  46. 46. COM Hijacking 46 https://youtu.be/0tD7wHvblmA
  47. 47. Token Manipulation  Discovered by James Forshaw (@tiraniddo):  https://tyranidslair.blogspot.com/2017/05/reading- your-way-around-uac-part-1.html  Weaponized by Ruben Boonen (@fuzzysec)  Forget auto-elevating objects…  Uses DuplicateTokenEx() to duplicate a HI token & calls CreateProcessWithLogonW() with that new token  Results in an Always Notify bypass without any OS modifications :-) 47
  48. 48. Token Manipulation 48 https://youtu.be/xpbC9M2sGpM
  49. 49. Token Manipulation 49  https://github.com/FuzzySecurity/PowerShell- Suite/blob/master/UAC-TokenMagic.ps1 by @fuzzysec  Took @tiraniddo’s post and weaponized it  Uses Add-Type to interface with the Win32 API  Compiles and drops files to disk 
  50. 50. Token Manipulation 50  Re-implemented via PSReflect   https://github.com/enigma0x3/Misc-PowerShell- Stuff/blob/master/Invoke-TokenDuplication.ps1  Enumerates process list and checks for a process with a HI security access token  When one is found, uses that ProcID to elevate  If one is not, starts one via the RunAs verb
  51. 51. 4. Mitigations Let’s Be Real 51
  52. 52. Local Admin Accounts ◈ Every environment I have ever operated in had a percentage of users that were local administrators on their own host... 52
  53. 53. Stop Running as a Local Administrator  Why do users need to be local administrators?  Stop it.  Seriously.  Practice real least privilege  pls. 53
  54. 54. CREDITS  Special Thanks:  James Forshaw (@tiraniddo)  Ruben Boonen (@FuzzySec)  Matt Graeber (@mattifestation)  @hfiref0x  & many more for their great research! 54
  55. 55. 55 THANKS! Any questions? @enigma0x3 matt@specterops.io
  56. 56. Resources  https://blogs.technet.microsoft.com/markrussinovich/2007/ 02/12/psexec-user-account-control-and-security- boundaries/  https://github.com/FuzzySecurity/DefCon25  https://github.com/hfiref0x/UACME  https://github.com/enigma0x3/Misc-PowerShell- Stuff/blob/master/Invoke-TokenDuplication.ps1 56

×