Link to home
Start Free TrialLog in
Avatar of trojan81
trojan81

asked on

Metasploit - when UAC is at highest level

Experts,

I am conducting defensive security.
If UAC on my windows 7 system is set to the highest level via GPO (Always Notify), is there ANY way at all to do privilege escalation from a Meterpreter session?

The Metasploit module local/bypassuac does not work when UAC is set to ALWAYS Notify.

I have not been able to find anything online about how this can be bypassed.
Avatar of gheist
gheist
Flag of Belgium image
Windows 7 works as intended....
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
You can, but I don't know of M$ has patched it yet. Windows 8 by default is always prompt, and UAC can be bypassed: https://github.com/rapid7/metasploit-framework/compare/master...Meatballs1:bypassuac_win81
-rich
Avatar of btan
btan
the bypassuac with highest will not work as author of the exploit contributed into MS (http://www.rapid7.com/db/modules/exploit/windows/local/bypassuac) stated so.
Win 7 UAC Code-Injection: Summary
Setting UAC to its highest level, or using a non-admin account, will prevent the proof-of-concept from working by forcing it to display a UAC prompt. However, neither of those are the default settings of a Windows 7 install.

Win 7 UAC Code-Injection: The good news
All of this only affects the default account type and UAC level of Windows 7 (builds 7000 & 7022, but probably also the retail given Microsoft's stance so far). If you go against the defaults and run as a non-admin user or turn UAC up to the Always Prompt level, so it behaves like it did in Vista, then it is no longer possible for code-injection from unelevated processes to bypass UAC prompts. So the advice remains as before:

If you are using Windows 7 and want to be protected against silent elevation then turn UAC up to the highest level.
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gheist
gheist
Flag of Belgium image
Best you can find in current situation is to roll back patch that fixes the issue, and essentially confirm that patch fixes the issue.
Avatar of btan
btan
also do verify if it is working by manually setting UAC to Elevate Without Prompting to see if it works so that the setup is indeed fine ...
Avatar of trojan81
trojan81

ASKER

BTAN, if on the victime pc I right click the payload and run as administrator, I am able to get the meterpreter session and do a GET SYSTEM.   If on the victim PC, I simply click the file, I would still establish a meterpreter session but GET SYSTEM will fail. Thus, I know it is the UAC setting.
I will try the bypassuac_injection exploit.
Avatar of btan
btan
you need exploit to get that privilege since we always assume target machine is most restrictive, hence pivoting may help to migrate process to have that systems right to further the modus operandi or else simply have to get the exploit to gain their privileges...
Avatar of trojan81
trojan81

ASKER

BTAN,

on a Windows 7 System with the UAC set to high, are you able to get SYSTEM from a meterpreter session?
Avatar of trojan81
trojan81

ASKER

If so, which exploit did you run to get it?  
I'm having trouble finding any evidence online that anyone is able to get passed the UAC.
Avatar of gheist
gheist
Flag of Belgium image
All the UAC vulnerabilities are only due to Win8 remembering approvals in a database and sometimes handing them out unjustly. They plainly do not apply to Win7
You should be naive thinking microsoft is incapable to download metasploit and fix their bugs next month.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial