Windows 10 UAC Bypass

Thursday, July 28, 2016 @ 04:07 PM gHale


There is a way to bypass the Windows User Access Control (UAC) security system on Windows 10 that could allow malicious files to execute without users being aware.

On top of that the bypass does not involve a complicated mechanism that implies a privileged file copy or any code injection, but only taking advantage of an already existing Windows scheduled task set up to run with the highest privileges available, said researchers Matt Nelson and Matt Graeber.

RELATED STORIES
Microsoft Patches Critical Vulnerabilities
Microsoft Brings Checked C to Open Source
Microsoft Fixes Windows Kernel Font Issue
Bad Code Found in OLE

The scheduled task they are talking about is the Disk Cleanup utility, a built-in Windows app for helping users clean and manage their hard drives.

The scheduled task is a “maintenance task used by the system to launch a silent auto disk cleanup when running low on free disk space.”

The two researchers discovered that, when Windows 10 ran this task, it would execute the Disk Cleanup app, which would copy a set of files in a folder at “C:UsersAppDataLocalTemp.”

The files copied here were an executable called DismHost.exe and a very large number of DLL files. Disk Cleanup would then execute the EXE file, which it would load one DLL after the other.

Nelson and Graeber found DismHost.exe would load the LogProvider.dll as the last DLL file in this queue, giving them time to launch an attack.

They created a malicious script (aka malware) that would watch the local file system for the creation of new folders inside the Temp directory, and when detecting one of the files above, it would quickly move to replace LogProvider.dll with their own version of the DLL, containing malicious operations.

This attack technique is DLL hijacking and is a common method of executing malware attacks.

Because this scheduled task ran from a regular user account, but with the “highest privileges available,” UAC remained silent, according to Nelson and Graeber.

The researchers told Microsoft about the issue, but the software giant is mulling over what to do.

“This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016,” Nelson said in a blog post. “As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability.”

In the meantime, users should either disable the task or uncheck the “Run with the highest privileges” option.