High-Severity Windows UAC Flaw Enables Privilege Escalation

Researchers disclosed details of a high-severity Microsoft Windows vulnerability that could give attackers elevated privileges – ultimately allowing them to install programs, and view, change or delete data.

The bug stems from User Account Control (UAC), a security feature of Windows within Secure Desktop which helps prevent unauthorized changes to the operating system. “With UAC fully enabled, interactive administrators normally run with least user privileges, but they can self-elevate to perform administrative tasks by giving explicit consent with the Consent UI,” Microsoft explained in an overview of the function. “Such administrative tasks include installing software and drivers, changing system-wide settings, viewing or changing other user accounts, and running administrative tools.”

By interacting with the user interface of UAC, an unprivileged attacker can use the bug to launch a highly-privileged web browser on the normal desktop – giving them the authority to install code and other malicious activities.

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows,” researchers with Zero Day Initiative (ZDI) said in a Tuesday detailed analysis of the vulnerability. “An attacker must first obtain the ability to access an interactive desktop as a low-privileged user on the target system in order to exploit this vulnerability.”

Specifically, the flaw exists because the UAC Windows Certificate Dialog, which details certificate information as well as a Microsoft-specific object identifier (OID), does not properly enforce user privileges. To exploit it, an unprivileged attacker could first download a Microsoft-signed executable from an attacker-controlled website. They could then attempt to run the executable as an administrator – meaning the UAC will pop up and asks them to type an administrator password.

Upon clicking on the “Show Details” button on the UAC box, attackers can view the OID in the Windows Certificate Dialog, which is displayed in the details tab as “SpcSpAgencyInfo” – wherein the problem exists.

“The semantics of this OID are poorly documented,” said Simon Zuckerbraun with ZDI. “It appears, however, that the certificate dialog parses the value of this OID, and if it finds valid and properly-formatted data, it will use it to render the ‘Issued by’ field on the General tab as a hyperlink. And when it comes to the UAC version of the certificate dialog, Microsoft forgot to disable this hyperlink.”

That means an attacker could click on the hyperlink to launch a browser that will run as NT AUTHORITY\SYSTEM (a browser with administrative privileges) – opening the door for code execution, installation of malicious programs and more.

“Once the user has access to a browser running as SYSTEM, it’s ripe for abuse. The user can influence the browser to perform any number of actions, which will then be performed as SYSTEM,” Zuckerbraun told Threatpost. “The end effect is that the user gains maximum privilege on the particular Windows machine under attack. For example, suppose that a hacker gains access to a Windows machine via remote desktop, but only has guest access. Through this vulnerability, the attacker could gain maximum access to the machine under attack.”

This ZDI video demonstrates the issue:

“Quite strangely, even though the browser is launched as SYSTEM, nevertheless it is shown on the normal desktop as opposed to the Secure Desktop,” said Zuckerbraun. “Hence it will only become visible once the user has exited all the UAC dialogues. From the attacker’s perspective, this is an ideal combination.”

The vulnerability (CVE-2019-1388) has a CVSS score of 7.8 out of 10.0, making it high-severity. Microsoft patched the flaw as part of its Patch Tuesday updates released last week.

“In their writeup, they state the fix was implemented by ‘ensuring Windows Certificate Dialog properly enforces user privileges,'” said Zuckerbraun. “However, they also give an Exploit Index rating of 2, indicating exploitation is less likely. Our video suggests otherwise.”

The flaw was discovered by Eduardo Braun Prado working with Trend Micro’s Zero Day Initiative. A full list of affected Windows version is here.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demandThreatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud.Click here to register.