The document discusses bypassing User Account Control (UAC) on Windows systems. It begins with an overview of UAC and how it works to prevent unauthorized elevation of privileges. It then covers various methods that have been used to bypass UAC, such as DLL hijacking, COM interface elevation, and token impersonation. The document concludes by demonstrating a new UAC bypass technique discovered by the author that leverages a vulnerability in the "dccw.exe" process and involves DLL hijacking. Code samples implementing the technique in C++ and Metasploit are provided.

1. #CyberCamp17
Testing UAC on
Windows 10
Ernesto Fernández

2. C:> whoami
2
Ernesto Fernández Provecho – L3cr0f
q Linkedin – www.linkedin.com/in/ernesto-fernandez-provecho/
q Github – github.com/L3cr0f
q Email – ernesto.fernpro@gmail.com

3. What Is User Account Control
(UAC) and How Does It
Work?
3

4. UAC
4

5. UAC
5
Mechanism to prevent malware execution at high integrity
level without user permission.
How?
Consent Prompt

6. UAC
6
It supports different "security" levels. The highest one
prevents many of bypass UAC attacks, whereas the lowest
one disables UAC.

7. Bypass UAC Attacks
7

8. UAC Bypass
8
Attack consisting in execute code with administrator rights
without prompting the user for consent on Windows
systems. Some requirements must be met in most cases:
q Vulnerable auto-elevate process.
q The user belongs to the Administrators group.
q The UAC security level is not set to "Always Notify".
Attacker Administrator Shell
UAC

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15

16. 16

17. 17

18. UAC Bypass Methods
18
GUI Misusing
COM Interface Elevation

19. DLL Hijacking
19
The most common way to perform a bypass UAC attack. It
works thanks to the way DLLs are loaded in Windows systems
by some auto-elevate processes, since they do not found a
specific DLL at first trial, allowing an attacker to trick them by
loading a malicious DLL instead of the legit one.
q IFileOperation
q WUSA
q Environment variables expansion
q Race condition
q UIPI bypass
q COM handler hijacking
q NTFS reparse point

20. DLL Hijacking - IFileOperation
20
Invoke
IFileOperation
Masquerade
PEB
Process
Injection
Copy the
malicious DLL
to the targeted
location
Windows Trusted
Certificate Process
Execute auto-
elevate process

21. DLL Hijacking - WUSA
21
Copy the
malicious DLL
to the targeted
location
WUSA Extract
Functionality
Execute auto-
elevate process
Windows Update Standalone Installer (WUSA) runs at high
integrity.
Compress the
malicious DLL
into a CAB file

22. DLL Hijacking - WUSA
22
Copy the
malicious DLL
to the targeted
location
WUSA Extract
Functionality
Execute auto-
elevate process
Windows Update Standalone Installer (WUSA) runs at high
integrity.
Compress the
malicious DLL
into a CAB file

23. DLL Hijacking – UIPI Bypass
23
Inject
IFileOperation
DLL
hijacking
Copy to a
"secure"
path
Malicious
DLL
Execute
High
integrity
application
Process
Injection
Execute auto-
elevate process
Windows Trusted
Certificate Process
User Interface Privilege Isolation (UIPI) prevents lower
integrity processes from sending "messages" to higher
integrity processes.

24. DLL Hijacking – Environment Variable
Expansion
24
Copy the
malicious DLL
to the targeted
location
Modify the
environment
variable in the
Windows Registry
Execute auto-
elevate process

25. DLL Hijacking – Race Condition
25
Copy the
malicious DLL
to the targeted
location
DLL hijacking
Execute auto-
elevate process

26. DLL Hijacking – COM Handler Hijacking
26
The value is
modified in
"HKCR:CLSID"
Modify the
"HKCU:SoftwareClassesCLSID"
with the path of the malicious DLL
Execute
auto-elevate
process
A COM handler specifies a COM object by its CLSID key from
which the process associated with it will load a DLL.

27. DLL Hijacking – NTFS Reparse Point
27
Create
"wusa.exe"
race condition
A reparse point is a collection of user data associated with a
file or a directory used in NTFS to implement hard links,
junctions and symbolic links.
Compress the
malicious DLL
into a CAB file
Extract the malicious
DLL to the targeted
location by means of
NTFS reparse point
Execute auto-
elevate process

28. COM Interface Elevation
28
In Windows, a COM interface defines a set of methods that a
COM object can invoke. The problem appears since some of
this interfaces can elevate their privileges without user consent.
Execute a method
that allows us to
execute code
Find an
elevated COM
interface
Run the selected
method

29. Application Compatibility Exploiting
29
Abuses the way Application Compatibility (AppCompat) works
by creating a shim (file that contains the details on how
Windows should manipulate an antiquated program to execute
it properly) for an auto-elevate application that forces it to
load a malicious binary - CVE-2015-0002.
Auto-elevate
application
Malicious
binary
Malicious shim
file

30. Application Compatibility Exploiting
30
Abuses the way Application Compatibility (AppCompat) works
by creating a shim (file that contains the details on how
Windows should manipulate an antiquated program to execute
it properly) for an auto-elevate application that forces it to
load a malicious binary - CVE-2015-0002.
Auto-elevate
application
Malicious
binary
Malicious shim
file

31. Shell API
31
This method abuses the way some auto-elevate applications
use the shell API of Windows to execute its own commands.
Environment variables expansion Registry manipulation
Execute
command
Modify the
Windows
Registry

32. Token Impersonation
32
Abuse
QueryLimitedInformation
access right to get
Impersonate and
Duplicate rights
Check the rights
of "mmc.exe"
(high integrity
process)
Copy the high
integrity token
with Duplicate
right
Misuses the way tokens and their grants works in Windows
systems. The following scheme explains the James Forshaw
implementation.
Modify the
copied token
Impersonate the
copied token using
Impersonate right

33. Token Impersonation
33
Abuse
QueryLimitedInformation
access right to get
Impersonate and
Duplicate rights
Check the rights
of "mmc.exe"
(high integrity
process)
Copy the high
integrity token
with Duplicate
right
Misuses the way tokens and their grants works in Windows
systems. The following scheme explains the James Forshaw
implementation.
Modify the
copied token
Impersonate the
copied token using
Impersonate right

34. GUI Misusing
34
The way such UAC
bypass is performed is
taking advantage of the
way these processes use
the "FileDialog"
component, since you
can "right-click" with the
mouse on other
application and point
out the "Run as
administrator" option,
no UAC prompt will be
displayed.

35. Development of a New
Bypass UAC
35

36. Vulnerability Search
36
Auto-elevate processes
We checked the
different processes which
have the feature
"autoElevate" enabled
by means of Strings. We
found an interesting one,
"dccw.exe".

37. Vulnerability Search
37
dccw.exe execution
flow analysis
Using Process Monitor
we find out that
"dccw.exe" would be
vulnerable to a DLL
hijacking due to how
"WinSxS" is managed.

38. Vulnerability Verification
38
dccw.exe DLL hijacking
confirmation
We created the folders
that were looked for
unsuccessfully by
"dccw.exe". When it
was executed again, an
error was presented.

39. Vulnerability Verification
39
dccw.exe DLL hijacking
confirmation
We created the folders
that were looked for
unsuccessfully by
"dccw.exe". When it
was executed again, an
error was presented.

40. Exploit Development
40
Malicious DLL
To execute code ("cmd.exe")
at high integrity we need to
craft a DLL to be loaded
when "dccw.exe" will be
executed. This DLL needs to
export some functions from
the legit "GdiPlus.dll" loaded
by "dccw.exe".
The DLL is compressed and
base64 encoded in the
code.
Interoperabiltiy
To allow the C++ PoC
execution in Windows x86
and Windows x64, the
binary and the DLL have
been developed for x86
systems.

41. Exploit Development
41
Initial Checks
q Build version.
q Administrator rights.
q Administrators group.
q UAC security level.
Create Temporary Elements
In the same directory of the PoC:
1. Create the folder "dccw.exe.Local".
2. Create the folders that match with the
"x86_microsoft.windows.gdiplus_*"
pattern in the "WinSxS" folder into
the folder created in step 1.
3. Drop the malicious DLL into the
folders created in step 2.

42. Exploit Development
C++ - Masquerade PEB
Modify the Process Environment
Block (PEB) due to COM
objects rely on PSAPI, which
parses the PEB, to identify the
process from which they have
been invoked. The resultant PEB
will look like the one of a
Microsoft signed application
(e.g. "explorer.exe").
Trick the system to invoke IFileOperation at high integrity.
Metasploit - Process Injection
Inject a malicious DLL into a
Microsoft signed application
(e.g. "notepad.exe") and
execute it.

43. Exploit Development
43
Invoke IFileOperation
Copy the previously created "dccw.exe.Local" and the elements
contained in it to the vulnerable location.
dccw.exe.Local
WindowsSystem32
WindowsSysWOW64

44. Exploit Development
44
Execute "dccw.exe"
The DLL hijacking is
performed and "cmd.exe" is
executed with administrator
rights.
Remove Traces
All created files and folders are
deleted from the computer to
stay undetected.

45. Exploit Development
45
Initial Checks
Masquerade
PEB / Process
Injection
Execute
dccw.exe
Administrators
Group
Administrator
Rights
Build Version
UAC Settings
Invoke
IFileOperation
Create
Temporary
Elements
WinSxS folders with
"x86_microsoft.windo
ws.gdiplus_*" pattern
Drop the
malicious DLL to
those folders
Copy
temporary
files to DLL
hijacking
path
Execute code at
high integrity
Remove
Traces

46. Proof of Concept (PoC) Time!
46

47. Requirements
47
C++
q The target must be a
Windows 8 or 10.
q The UAC level must not be
set to "Always notify".
q The compromised user must
belong to the "Administrators
group".
Metasploit
q The target must be a Windows
8 or 10.
q The UAC level must not be set to
"Always notify".
q The compromised user must
belong to the "Administrators
group".
q Having a Meterpreter session.
q The TARGET option must match
the processor architecture of the
victim.

48. C++ PoC - Windows 10 x64 14393
48
github.com/L3cr0f/DccwBypassUAC

49. Metasploit Module - Windows 10 x86 15063
49
www.rapid7.com/db/modules/exploit/windows/local/bypassuac_injection_winsxs

50. Microsoft Position
50

51. 51
"A weakness that would allow to bypass
the 'Consent Prompt' is not considered a
security vulnerability, since that is not
considered a security boundary."
But…
"User Account Control (UAC) is a
fundamental component of Microsoft's
overall security vision."
- Microsoft

52. Conclusions and Achievements
52

53. 53
Conclusions
q Bypass User Account Control is not a big deal.
q Build patches are not enough.
q Microsoft should consider UAC bypasses as a vulnerability
so as to protect users.
q Nowadays, the only solution is setting up different users so
as to use the one with lowest privileges.
Achievements
q Development of a new bypass UAC method that works on
latest Windows 10 build versions.
q Development of a new Metasploit module that works on
latest Windows 10 build versions and which has being
included in the Metasploit Framework.
q This bypass UAC has been partially included in the UACME
project as the 37th method.

54. If you want to know more
about…
54

55. q DccwBypassUAC repository:
https://github.com/L3cr0f/DccwBypassUAC.
q Project paper:
https://www.researchgate.net/publication/319454675_Testing
_UAC_on_Windows_10.
q Metasploit module: https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/local/byp
assuac_injection_winsxs.rb.
q Rapid7 explanation of the Metasploit module:
https://www.rapid7.com/db/modules/exploit/windows/local/
bypassuac_injection_winsxs.
q UACME project: https://github.com/hfiref0x/UACME.

56. Gracias por su atención