Researchers have crafted a stealthy new way of bypassing Windows User Account Controls (UAC) that opens the door to attacks on targeted systems. According researchers, the bypass technique can fly under the radar of security solutions that monitor for this type of circumvention.
The UAC bypass technique works on Windows 10 systems, and as opposed a number of other UAC bypasses techniques, this one does not raise red flags because it doesn’t rely on a privileged file copy or code injection, according to Matt Graeber and Matt Nelson who found the workaround and outlined it in a technical breakdown on the Enigmaox3 website.
As the name implies, a User Account Control bypass, allows a Windows users to bypass technical restrictions associated with their Windows account preventing them from changing system settings and adding and removing programs. Windows UAC is a type of security policy setting also designed to prevent malware or malicious software from installing itself on a PC.
But Microsoft doesn’t view bypassing the UAC as a security vulnerability, despite doing so is a common tactic employed by attackers who wish to gain administrative privileges on targeted PCs in conjunction with surreptitious malware infections.
Graeber and Nelson have managed to bypass UAC using a complex, multistep process that ultimately allows attackers to have systems with the lowest privileges to execute malicious DLLs.
“After investigating some default Scheduled Tasks that exist on Windows 10 and their corresponding actions, we found that a scheduled task named ‘SilentCleanup’ is configured on stock Windows 10 installations to be launchable by unprivileged users but to run with elevated/high integrity privileges,” wrote Nelson.
SilentCleanup is a Windows process that works with the common Windows utility called Disk Cleanup or Cleanmgr.exe. “Taking a closer look… we found that the actual process started by the scheduled task, cleanmgr.exe, auto-elevates due to ‘execute with highest privileges’ being set in the task configuration,” wrote Nelson.
What both researchers observed next was when the Disk Cleanup utility was launched it created a new folder (GUID in “C:\Users\<username>\AppData\Local\Temp”) where it copied several DLLs along with “dismhost.exe” into the new folder. Dismhost is a function of Windows tied to maintaining custom Windows OS images.
“Since dismhost.exe launches out of “C:\Users\<username>\AppData\Local\Temp\<guid>”, it begins to load DLLs out of the same folder in a certain order. Because the current medium integrity user has write access to the user’s %TEMP% directory, it is possible to hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process. This is commonly known as a ‘BypassUAC’ attack,” Nelson wrote.
Using this knowledge, Graeber and Nelson were able to swap in a specific DLL before the dismhost.exe process loaded it. The technique could be used to load any specially crafted DLL (malicious or otherwise).
“This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016. As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability,” Nelson wrote.
Because this type of BypassUAC attack does not require any process injection, that would get flagged by security software, it can avoid detection.
“There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since the scheduled task copies the required stuff to %TEMP%, no privileged file copy is required,” Nelson wrote.