Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Researcher Bypasses Windows UAC by Spoofing Trusted Directory

A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. 

A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. 

Although Microsoft doesn’t consider UAC a security boundary, the feature still brings additional security benefits. UAC alerts users in the Administrators group when a program attempts to run with elevated privileges, so that the user can confirm the action.

However, the UAC prompt does not appear for all administrative executables on Windows, as some programs can auto-elevate, thus bypassing UAC. However, Windows has a series of additional security checks in place to ensure that only a select group of trusted executables can auto-elevate. 

Even so, the approach can be abused to bypass UAC, and Tenable’s David Wells recently discovered a new technique that leverages this functionality to ensure that no UAC prompt is displayed when a rogue executable runs. 

Executables that can auto-elevate need to be already configured for auto-elevation (in which case an “autoElevate” key exists for that file), to be properly signed, and to run from a Trusted Directory, such as “C:WindowsSystem32,” the security researcher explains

The researcher discovered that, in one of the checks it performs to ensure the executable can auto-elevate, Appinfo.dll (AIS) calls the RtlPrefixUnicodeString API and verifies that the target executable path begins with “C:WindowsSystem32.”

He was able to create a directory called “C:Windows ” (it has a space after “Windows”) by using the CreateDirectory API and prepending a “?” to the directory name (to bypass naming filter rules in Windows) and then created a “System32” directory in it.

Advertisement. Scroll to continue reading.

Next, he copied a signed, auto elevating executable from the real “C:WindowsSystem32”, and, by analyzing the manner in which Windows handles its execution, discovered that no UAC prompt is triggered. 

When “C:Windows System32winSAT.exe” is executed, Appinfo.dll passes it to the GetLongPathNameW API, which converts it back to “C:WindowsSystem32winSAT.exe,” removing the additional space after Windows. Next, the trusted directory checks are performed against this converted string.

“The beauty is that after the trusted directory check is done with this converted path string, it is then freed, and rest of checks (and final elevated execution request) are done with the original executable path name (with the trailing space). This allows all other checks to pass and results in appinfo.dll spawning my winSAT.exe copy as auto elevated (since it is both properly signed and whitelisted for auto elevation),” the researcher notes.

The researcher also notes that he was able to elevate attacker code by dropping a fake WINMM.dll (imported by winSAT.exe) in the spoofed “C:WindowsSystem32” directory, for a local dll hijack. The researcher also published proof-of-concept code for this UAC bypass technique. 

Related: App Paths Used to Bypass User Account Control in Windows 10

Related: Windows UAC Bypassed Using Event Viewer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...