More Related Content

Similar to Not a Security Boundary: Bypassing User Account Control(20)


Not a Security Boundary: Bypassing User Account Control

  1. Not a Security Boundary: New Methods for Bypassing User Account Control Matt Nelson (@enigma0x3) SpecterOps
  2. @enigma0x3  Job: Red Teamer and Security Researcher at @SpecterOps  Trainer: BlackHat 2016, ATRTO  Blogger:  Speaker: Various BSides, DerbyCon, ShmooCon, OPCDE  Other: Multiple CVEs for Device Guard research, plenty of UAC bypasses & COM lover 2
  3. tl;dr  UAC/Integrity Level Overview  Bypass Research Overview  Bypass Evolution  Mitigations  Demos throughout! 3
  4. UAC: What is it?  UAC == User Account Control  “UAC is meant to enable users to run with standard user rights, as opposed to administrative rights”  If user == Local Administrator, two tokens are assigned to the logon session (split-token admin)  If a user is not a local admin, UAC offers Over-the- Shoulder (OTS) elevation  We will be focusing on the split-token admin scenario 4
  5. Who Cares?  Every organization has users in the Local Administrators group  A common answer is “We have UAC set to Always Notify”, so we are safe  Attackers encounter UAC all the time  Roadblock between them and their objective  Blue: Are you aware of all the users in your environment that are running as Local Administrators? 5
  6. ““Attackers don’t care about security boundaries” - Jessica Payne at MSIgniteNZ (@jepayneMSFT) 6
  7. Security Boundary? 7 security-boundaries/ “What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. “ - Mark Russinovich
  8. Security Boundary? 8 d/0370/
  9. 1. UAC/Integrity Level Overview How these tie together 9
  10. Integrity Levels  An Integrity Level is assigned to a security access token  Defined by SID; assists in Access Control for various OS components  Mandatory access token policies  TOKEN_MANDATORY_NO_WRITE_UP, TOKEN_MANDATORY_NEW_PROCESS_MIN  The Security Reference Monitor compares the user/group SIDs in the security access token with the ACL on an object to determine access 10
  11. Integrity Levels 11
  12. Integrity Levels  When researching UAC, we are mostly interested in 2 integrity levels:  High Integrity (HI) security access tokens == Administrator  Medium Integrity (MI) security access token == Normal user  Split-Token admin processes are assigned a MI security access token  Elevation via UAC == granted HI security access token 12
  13. UAC Levels  UAC level determines the notification level  Technically 4 levels: Always Notify, Notify (Secure Desktop), Notify (No Secure Desktop), Never Notify  Realistically, there are only 2 we care about  Always Notify and the Default (Notify w/ Secure Desktop) 13
  14. 14
  15. 2. Bypass Research Overview A Quick Example 15
  16. Purpose  Silently obtain a HI security access token without raising suspicion to the user  Often executed from an agent (Meterpreter, Empire, Beacon, etc.)  You aren’t bypassing anything if you elevate while logged in via the GUI  At that point, you can just click “Yes” on the UAC prompt... 16
  17. Don’t be this guy.... 17
  18. Elevation Objects  Identify objects that silently elevate  Scheduled Tasks, Auto-Elevate Windows Binaries, COM interfaces, etc.  Take these objects and trace their various execution behavior  Determine any locations these objects interact with that a MI process can manipulate  Can be registry keys, files, folders, etc. 18
  19. Elevation Objects 19
  20. Elevation Objects 20
  21. Abusing These Objects  After identifying an object that reads from a location you can modify, determine how to abuse it  Registry key additions  Environment variable manipulation  Winning a race condition  After modifying, these elevating objects should read and pull your payload 21
  22. Abusing These Objects 22
  23. 3. Bypass Evolution Then there was light 23
  24. Disclaimer  There are many public UAC bypasses that currently exist  Most definitive source for all bypasses is @hfireF0x’s UACME project:  This section only highlights the evolution of bypass tradecraft, not specific techniques.  I will not cover every bypass nor every technique (we would be here for hours) 24
  25. IFileOperation  Leo Davidson released PoC code in 2009  One of the first UAC bypasses to publically be released  IFileOperation::CopyItem()  Has to be invoked from inside a Microsoft signed binary (can be spoofed)  A privilege file copy opens up the possibility for a DLLHijack  Fixed in Windows 10 RS2 (15007) 25
  26. IFileOperation 26
  27. WUSA  Original Finder: Vozzie  Windows Update Standalone Installer  Auto-Elevating Windows binary  Pre-Windows 10, has an “/extract” flag  Allows extraction of a cab from one location to another  Cab a payload using makecab and perform a privileged file copy using: wusa <path> /extract <path> 27
  28. WUSA 28
  29. Registry Modification (eventvwr.exe)  Abuses Registry verb handlers  Shellopencommand, isolatedCommand, etc  These values determine the binary and parameters for a specified verb  Many binaries can be used here  More: uac-bypass-using-eventvwr-exe-and-registry-hijacking/ 29
  30. Registry Modification (eventvwr.exe) 30
  31. Registry Modification (eventvwr.exe) 31
  32. Registry Modification (eventvwr.exe) 32
  33. 33
  34. Registry Modification (eventvwr.exe) ◈ Microsoft actually issued a fix in Windows 10 RS2 (15031) 34 creators-update/
  35. Race Condition (Disk Cleanup)  Found by @mattifestation/@enigma0x3  Windows 10 Scheduled Task with “Run with Highest Privileges” set  Creates a folder in %localappdata%Temp<guid>  Executes dismhost.exe in a HI context  Dismhost.exe loads DLLs from the temp directory  Fixed in Windows 10 RS2 (15031) 35
  36. Race Condition (Disk Cleanup) 36
  37. Race Condition (Disk Cleanup) 37
  38. Race Condition (Disk Cleanup) 38
  39. Race Condition (Disk Cleanup) 39
  40. Environment Variables (Disk Cleanup)  Discovered by James Forshaw (@tiraniddo)  Same Scheduled Task as the Race Condition  Utilizes an environment variable in its action  These environment variables can be modified without elevation  HKEY_CURRENT_USEREnvironment 40
  41. Environment Variables (Disk Cleanup) 41
  42. Environment Variables (Disk Cleanup)  Hijacking the %windir% environment variable can lead to silent elevation when the task is ran  reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM “  More: g-environment-variables-in.html 42
  43. Environment Variables (Disk Cleanup) 43
  44. COM Hijacking  Finders: @FuzzySec/@enigma0x3  Hijack InProcServer32, Server or LocalServer32 & invoke an auto-elevating binary that instantiates that COM object  Our malicious binary loads 44
  45. COM Hijacking Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11-F424491E3931}] [HKEY_CURRENT_USERSoftwareClassesCLSI D{0A29FF9E-7F9C-4437-8B11- F424491E3931}Server] @="C:UsersMattDesktopMessageBox64.dll " 45
  46. COM Hijacking 46
  47. Token Manipulation  Discovered by James Forshaw (@tiraniddo):  your-way-around-uac-part-1.html  Weaponized by Ruben Boonen (@fuzzysec)  Forget auto-elevating objects…  Uses DuplicateTokenEx() to duplicate a HI token & calls CreateProcessWithLogonW() with that new token  Results in an Always Notify bypass without any OS modifications :-) 47
  48. Token Manipulation 48
  49. Token Manipulation 49  Suite/blob/master/UAC-TokenMagic.ps1 by @fuzzysec  Took @tiraniddo’s post and weaponized it  Uses Add-Type to interface with the Win32 API  Compiles and drops files to disk 
  50. Token Manipulation 50  Re-implemented via PSReflect   Stuff/blob/master/Invoke-TokenDuplication.ps1  Enumerates process list and checks for a process with a HI security access token  When one is found, uses that ProcID to elevate  If one is not, starts one via the RunAs verb
  51. 4. Mitigations Let’s Be Real 51
  52. Local Admin Accounts ◈ Every environment I have ever operated in had a percentage of users that were local administrators on their own host... 52
  53. Stop Running as a Local Administrator  Why do users need to be local administrators?  Stop it.  Seriously.  Practice real least privilege  pls. 53
  54. CREDITS  Special Thanks:  James Forshaw (@tiraniddo)  Ruben Boonen (@FuzzySec)  Matt Graeber (@mattifestation)  @hfiref0x  & many more for their great research! 54
  55. 55 THANKS! Any questions? @enigma0x3
  56. Resources  02/12/psexec-user-account-control-and-security- boundaries/    Stuff/blob/master/Invoke-TokenDuplication.ps1 56

Editor's Notes

  1. Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
  2. Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
  3. Blue: Do you know how many users are Local Admins on their own host?
  4. Lee & Jeffery Derby 2016 keynote: “What do you have and what do you get?” One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user.
  5. Mark Russonivich Windows Vista User Account Control Internals
  6. TOKEN_MANDATORY_NO_WRITE_UP: The default policy that is assigned to all access tokens. The policy restricts write access by this subject to any object at a higher integrity level.
  7. Won’t outline all IFileOperation Dll Hijack bypasses, just cover the IFileOperation technique
  8. Requires injection into explorer.exe to call the method
  9. OpenProcess, OpenProcessToken, DuplicateTokenEx, AllocateAndInitializeSid, ntSetInformationToken (lower the token IL level), ntFilterToken (creates a new restricted token), DuplicateTokenEx, ImpersonateLoggedOnUser and then CreateProcesswithLogonW