White hat pops Windows User Account Control with log viewer data

PowerShell your way to user hell

The User Account Control feature in Windows has been popped by researcher Matt Nelson, without even having to plant a .DLL on the target machine.

In this post (warning, it's pretty dense going), Nelson finds that the Windows Event Viewer (a local/remote event log viewer) can be exploited to hijack registry processes; start PowerShell; and execute commands.

Working with Matt Graeber, Nelson was able to trick the target system into executing PowerShell as a high-integrity process – effectively p0wning the “victim” in the proof-of-concept. And it gets better: he got PowerShell access without having to leave tell-tale files on the target:

Here's how the hack went down:

Due to the fact that I was able to hijack the process being started, it is possible to simply execute whatever malicious PowerShell script/command you wish. This means that code execution has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to the file system. This significantly reduces the risk to the attacker because they aren’t placing a traditional file on the file system that can be caught by AV/HIPS or forensically identified later.

The proof-of-concept is at GitHub.

Nelson told ThreatPost the attack would need a victim's machine to be already compromised for the bypass to work.

As well as working without having to get a malicious file onto the system, Nelson notes his attack works without any process injection (which security solutions might notice); and there's no privileged file copy required, since “it is possible to simply use an existing, trusted Microsoft binary to execute code in memory instead.”

Nelson says the PoC was tested on Windows 7 and Windows 10, but should probably work anywhere Windows runs UAC. He suggests setting UAC to “Always Notify”, and (of course) don't run the current user as admin. ®


Biting the hand that feeds IT © 1998–2017